Daily Tech Digest - April 20, 2018

Google disables “domain fronting” capability used to evade censors

Domain fronting uses a manipulation of the secure HTTP Web protocol (HTTPS) and the Transport Layer Security (TLS) standard to help fool deep packet inspection systems and firewall rules about the intended destination of a Web request and to exploit the functionality of content delivery networks (CDNs). Domain names show up three times during a Web request—as part of a DNS query for the IP address of the site, in the Server Name Indication (SNI) extension of TLS (which tells a server with multiple sites which domain the traffic is for), and in the HTTP "host" header of the Web request. For HTTP traffic, all three of those instances of the domain name are visible to a censor's network gear; when surfing an HTTPS site, the HTTP header is encrypted. In a domain fronting scheme, the DNS request and SNI extension use the domain name of an unblocked host, but the HTTPS header contains the actual destination—which the request is then forwarded to, as long as it's part of the same CDN. That destination is usually a proxy server, VPN gateway, or a Tor bridge.

Software Design Principles DRY and KISS

DRY stand for "Don't Repeat Yourself," a basic principle of software development aimed at reducing repetition of information. The DRY principle is stated as, "Every piece of knowledge or logic must have a single, unambiguous representation within a system." "We enjoy typing" (or, "Wasting everyone's time."): "We enjoy typing," means writing the same code or logic again and again. It will be difficult to manage the code and if the logic changes, then we have to make changes in all the places where we have written the code, thereby wasting everyone's time.To avoid violating the DRY principle, divide your system into pieces. Divide your code and logic into smaller reusable units and use that code by calling it where you want. Don't write lengthy methods, but divide logic and try to use the existing piece in your method. ... The KISS principle is descriptive to keep the code simple and clear, making it easy to understand. After all, programming languages are for humans to understand — computers can only understand 0 and 1 — so keep coding simple and straightforward. Keep your methods small. Each method should never be more than 40-50 lines.

Nine Things That Are Poised To Impact Cybersecurity

The next wave of cybersecurity attacks will come from the internet-of-things (IoT) devices like appliances, lights and cameras. These types of devices are cheap, easy to hack, can be found in large numbers and are geographically distributed, making them ideal targets for a hacker to commandeer and launch a distributed-denial-of-service (DDoS) attack on an unsuspecting enterprise. ... Utilize multi-factor authentication and SSO technologies to get a handle on authentication. Integrating this with Hashicorp Vault or an HSM solution can bring about encryption key management, encryption key rotation and administration of all your data. For sensitive information within databases, consider field-level encryption so that even with the breach, any data that is leaked is encrypted. ... Decentralizing data used for authentication is here and doing it for more PII is next. Firms are abandoning storage of biometrics, PINs, and passwords and now secure them on endpoints like mobile devices. Users authenticate on-device and swap public keys with their service provider.

Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others

The data was found in a human-readable, newline-delimited JSON file. The data collected includes names and physical addresses, and employment information and job histories data, and more, scraped from Facebook, LinkedIn, and Twitter profiles. UpGuard's own report, published Wednesday, contained search queries that Localblox would use to cycle through email addresses that it had collected through Facebook's search engine to retrieve users' photos, current job title and employer information, and additional family information. Facebook locked down its search feature earlier this month after scammers were running automated searches to harvest people's data. It's also believed that the company supplements its collected data from non-public sources, like purchased marketing data. The data is then compiled, organized and blended into existing individual profiles. The report described the collection operation as an effort to "build a three-dimensional picture on every individual affected" to use for advertising or political campaigning.

DevOps is key to low-code BPM, digital process automation

Created to reduce manual intervention in business process implementations across organizations, business process management (BPM) software did automate manual tasks. Until recently, however, the development of that software wasn't an automated affair. During a business process software development project a decade ago, Scrum master Reshma Nagrani relied on tools that were hardcoded and that had fragile code. It was hard to modify the existing software, so the project needed to be customized, and it wasn't easy to find the talent to do the customization work. Today, older BPM suites (BPMS) are more robust than ever in that they are customizable and customer-centric. New low-code BPM tools are so simple that non-IT business people can develop enterprise apps, although they're not so simple that companies don't need business process developers and managers. Indeed, their roles in DevOps teams and emerging digital process automation (DPA) projects remain critically important.

UK Commonwealth cyber security funding welcomed

The Commonwealth Cyber Declaration sets out, for the first time, a common vision for ensuring the internet remains free and open across the Commonwealth. It will commit members to raising national levels of cyber security and increased cooperation to counter those who seek to undermine nations’ values, security, even the integrity of elections. The new funding will help Commonwealth countries to prevent and respond to cyber security risks affecting governments, businesses and citizens. Some £5.5m of the funding has been earmarked to enable low- and middle-income Commonwealth members to carry out national cyber security capacity reviews before the next CHOGM in 2020. Prime minister Theresa May said cyber security affects all countries because online crime does not respect international borders. “I have called on Commonwealth leaders to take action and to work collectively to tackle this threat,” she said. “Our package of funding will enable members to review their cyber security capability, and deliver the stability and resilience that we all need to stay safe online and grow our digital economies.

What is hybrid cloud really, and what's the best strategy?

cloud computing business services
In an attempt to create clarity, some companies and vendors started using the term multi-cloud instead of hybrid, indicating that the strategy simply involves more than one cloud – public-public or public-private. Others have applied their own definitions to hybrid cloud to include any combination of public and private cloud with consistent platforms and/or services, but those are relatively new, she says.  Indeed, the market itself is shaping the definition of hybrid cloud, and analysts and vendors are beginning to fall in line in agreement on the definition a true hybrid cloud strategy. Increasingly, it’s about moving workloads seamlessly between public and private cloud platforms and creating a consistent architecture across both environments. Some vendors are promising these capabilities soon, while others are already starting to deliver. “Hybrid cloud is a cloud computing environment that uses a mix of private cloud and public cloud services with orchestration between the platforms allowing data and applications to be shared between them,” says Ritu Jyoti, research director on IDC's enterprise storage, server and infrastructure software team.

Understanding fast data and its importance in an IoT-driven world

The first necessity is a streaming system that processes various events as quickly as they arrive. Next, there must be a data store that extracts information just as speedily. When they both work together, businesses are well-equipped to understand why fast data offers such a wealth of information they won’t want to overlook. Investigating what’s available now gives companies a leg up to prepare for the increasing prominence of IIoT technologies. Being proactive also gives business leaders a chance to think about how they can use fast data most effectively to get closer to their goals. There are several ways fast data aligns with business objectives. As the IoT becomes more prominent than ever, the gadgets people use every day increasingly have Wi-Fi-enabled sensors that collect data and give personalized information. Among the likely use cases for the industrial sector are intelligent lights that sense when people leave the room and turn off to save energy, plus water fixtures that measure utility usage over time to let leaders know when and where waste happens.

Data protection is a business issue, says IAPP

Unlike the information security industry, the data privacy industry does not have a gender bias issue, he said. “Our membership is approximately 50/50 and there is roughly equal representation of men and women at all levels of seniority, right from the very top down, with equal salaries for men and women doing the same jobs.” The privacy industry started about 20 years ago, said Tene, when companies started appointing privacy officers and treating privacy as a strategic business issue rather than a compliance issue. The first movers were data-intensive companies such as DoubleClick, IBM, Axiom and Microsoft. As a result, the privacy industry is more mature in the US, but has started to pick up significantly in Europe and in recent years, largely driven by the GDPR, said Tene. “Data privacy is increasingly a business issue, and we are seeing a growing emphasis in business on data management, data governance and data risk,” he said.

The Importance of Validating the Testing Infrastructure

Sometimes when given something to test, some key details may be forgotten—and that’s okay. That’s why, as testers, it’s on us to validate the test infrastructure before diving in. Fortunately, there are several ways to do so. ... Access each node by checking the IPs of the components and that they have the indicated services. Validate the operating systems, and verify their versions, as well as the versions of the components (for example, Java, Apache, etc). In a performance test, looking for optimizations, different configurations are usually tested, trying to improve the results, comparing the performance of different options. So, to validate that what is documented in the results is accurate, it is necessary to review the initial configurations (at least the most relevant ones). For example, the size of each connection pool (in the database or the web server), the maximum and minimum allocated memory (in the case of JVM), etc.

Quote for the day:

"You do not lead by hitting people over the head. That's assault, not leadership." -- Dwight D. Eisenhower

Daily Tech Digest - April 19, 2018

5G Security Challenges and Ways to Overcome Them

5G is on its way to serve vertical industries, not just individual customers who are more bothered about experiencing a faster mobile network or richer smart phone functionalities. When it comes to serving vertical industries, security requirements may vary from one service to the other. As the Internet of Things (IoT) continues to gain momentum, more people will be able to remotely operate networked devices and this will surely call for the deployment of a stricter user-authentication method to prevent unauthorized access to IoT devices. For example, biometric identification systems can be installed in smart homes. ... 5G networks are believed to be enhanced by the deployment of new cost-effective IT technologies such as virtualization and Software Defined Network (SDN)/Network Functions Virtualization (NFV). However, 5G services can be equipped with appropriate security mechanisms only if the network infrastructure is robust enough to support the security features. The security of function network elements, in legacy networks, depends, to a large extent, on how well their physical entities could be separated from each other.

As IoT devices grow in popularity, it creates a greater security vulnerability for consumers. Service providers and consumer electronics manufacturers can now leverage the USP standard to perform lifecycle management of connected devices and carry out upgrades to address critical security updates. Newly installed or purchased devices and virtual services can also be easily added, while customer support is improved by remote monitoring and troubleshooting of connected devices, services and home network links. Additionally, the specification enables secure control of IoT, smart home and smart networking functions and helps map the home network to manage service quality and monitor threats. Work on the USP specification was carried out by the Broadband User Services (BUS) Work Area, which is led by Co-Directors John Blackford of Arris, who is also a Broadband Forum board member, and Jason Walls of QA Cafe. AT&T, Axiros, Google, Greenwave Systems, Huawei, NEC, Nokia, and Orange also participated in developing USP.

Notes from the AI frontier: Applications and value of deep learning

Notes from the AI frontier: Applications and value of deep learning
Neural networks are a subset of machine learning techniques. Essentially, they are AI systems based on simulating connected “neural units,” loosely modeling the way that neurons interact in the brain. Computational models inspired by neural connections have been studied since the 1940s and have returned to prominence as computer processing power has increased and large training data sets have been used to successfully analyze input data such as images, video, and speech. AI practitioners refer to these techniques as “deep learning,” since neural networks have many (“deep”) layers of simulated interconnected neurons. ... Deep learning’s capacity to analyze very large amounts of high dimensional data can take existing preventive maintenance systems to a new level. Layering in additional data, such as audio and image data, from other sensors—including relatively cheap ones such as microphones and cameras—neural networks can enhance and possibly replace more traditional methods. AI’s ability to predict failures and allow planned interventions can be used to reduce downtime and operating costs while improving production yield.

From BDD to TDD, the pros and cons of various agile techniques

citizen developers
Distributed agile makes it possible to escape any constraints of space or skills and experience in your immediate location. Modern collaboration tools like Slack, Skype, Teams, and Hangouts have made this possible. You can actually work together on stories without being in the same place and ask questions without disturbing your coworkers’ flow. Trust, rapport and communication are still essential. That’s why distributed agile works best when you have at least two teammates in any given location, they meet face to face periodically, and understand each other’s language and culture well. It’s helpful to have the whole team within a short flight and similar time zones so you can easily collaborate physically as well as virtually when needed. That team solidarity makes all the difference when you’re trying to crack a tough problem, get business or user feedback, or just onboard new team members. Agile works best when there is fast, frequent communication through standups and other formal and informal collaboration.

The evolution of forensic investigations

Protecting data, intellectual property (IP), and finances has become an increasing priority at the board room level as fraudsters proliferate and constantly adapt to more sophisticated controls and monitoring. While most organizations are susceptible to seemingly boundless criminal ingenuity, those lacking antifraud controls are predictably worse off, suffering twice the median fraud losses of those with controls in place. However, even organizations with antifraud controls can have their investigative efforts impeded by several factors. Reliance on rules-based testing is a primary culprit. Rules-based tests typically assess and monitor fraud risks across a single data set, giving only a yes or no answer. Information silos further impede analytics-aided investigative efforts. Organizations often struggle to balance the need for locally-tailored processes with the potential benefits of integrated data sharing, unintentionally creating barriers to investigative exploration as a result. The vast and growing volumes of unstructured data amassing in organizations, such as videos, images, emails, and text files.

City & Guilds Group deploys SD-WAN to improve Office 365 performance

City & Guilds Group deploys SD-WAN to improve Office 365 performance
It’s a different story, though, for workers located remotely like in the Asia-Pacific region. For those individuals, the experience can be very frustrating. I have first-hand experience with this. Prior to being an analyst, I spent some time as a consultant, and I remember trying open PowerPoint and Word documents out of region and it would often take minutes. Sometimes the process would go “not responding,” necessitating the need to shut down the application and start over. The most frustrating part was that there was no way of telling whether the file was still being downloaded or if the process died. I would often “open” the files and then go do something else for a while and come back and hope they finished opening. Bandwidth speeds have increased, but so have the size of Office documents. This is the situation that remote City & Guilds workers were facing. For example, users in Wellington, New Zealand, saw extremely slow response times when accessing files from the corporate Share Point drive, leading to a number of user complaints and a loss of productivity.

Google Cloud speech-to-text service gets revamp

In the future, enterprises will be able to feed automatically generated transcripts of business conversations into virtual assistants like IBM Watson or Google Assistant, helping those machines learn how to assist workers or customers better. "If you have your VP of marketing provide an overview of what a particular product does, that video is captured, that audio is converted into text, that text becomes searchable, and, ultimately, that text can be fed into machine intelligence systems," Vonder Haar said. Vendors are continually improving their speech-to-text tools, but enterprises shouldn't wait until those platforms are perfect before experimenting with them, said Jon Arnold, principal of Toronto-based research and analysis firm J Arnold & Associates. "To me, the big takeaway is these platforms definitely provide a lot of exciting possibilities," Arnold said. "Do some harmless in-house trials, get a feel for it, because the use cases will come out of the woodwork once you start getting comfortable with it."

15 Ways To Build Security Into Your Development Process

Knowing where to focus your likely very limited resources is key, and can be tackled by performing application risk assessments and threat modeling. By better understanding where your product or service may have unacceptable risk exposure, you can focus your time and resources appropriately. - Vijay Bolina, Blackhawk Network  As with any collaborative endeavor that brings together people from different backgrounds, experiences and outlooks, it’s important to acknowledge the possibility of conflict up front and deal with it head-on. Senior leaders should be involved to explain why the DevSecOps ethos is so vital to the company’s future, and hold everyone accountable for advancing its success. - Todd DeLaughter, Automic Software, owned by CA Technologies (NASDAQ: CA) One of the most effective ways to embed security into software is to initiate the security on boot-up. When a user restarts their device or software, the manufacturer should run a series of boot tests to determine any changes in the software and that the software is entirely authentic.

Beyond Java: Programming languages on the JVM

Beyond Java: Programming languages on the JVM
If there is any language that is a known and proven quantity for developers, it’s Java. Enterprise developers, web developers, mobile developers, and plenty of others besides, have made Java ubiquitous and contributed to the massive culture of support around Java. What’s more, the Java runtime, or Java Virtual Machine (JVM), has become a software ecosystem all its own. In addition to Java, a great many other languages have leveraged the Java Virtual Machine to become powerful and valuable software development tools in their own right. Using the JVM as a runtime brings with it several benefits. The JVM has been refined over multiple decades, and can yield high performance when used well. Applications written in different languages on the JVM can share libraries and operate on the same data structures, while programmers take advantage of different language features. Below we profile several of the most significant programming languages created for the JVM. 

Microservices Communication and Governance Using Service Mesh

A service mesh is an infrastructure layer for service-to-service communication. It ensures reliable delivery of your messages across the entire system and is separate from the business logic of your services. Service meshes are often referred to as sidecars or proxies. As software fragments into microservices, service meshes go from being nice-to-have to essential. With a service mesh, not only will you ensure resilient network communications, you can also instrument for observability and control, without changing the application run-time. ... In the direct interpretation it could be used to describe both the network of microservices that make up distributed applications and the interactions between them. However, recently the term has been mostly applied to a dedicated infrastructure layer for handling service-to-service communication, usually implemented as lightweight network proxies (sidecars) that are deployed alongside application code. The application code can treat any other service in the architecture as a single logical component running on a local port on the same host.

Quote for the day:

"You never will be the person you can be if pressure, tension and discipline are taken out of your life." -- Dr James G Bilkey

Daily Tech Digest - April 18, 2018

Study Suggests Lack of Analytical Capability is Slowing IoT Adoption

IoT data is of no use if it isn’t analyzed appropriately, and descriptive analysis is essential for gaining a more granular view of specific processes. Prescriptive analysis matters as well; creating a strong feedback loop to optimize and even automate data analysis can create a much more powerful system. Artificial intelligence can be a cornerstone technology. Predictive capabilities are key to maximizing IoT resources, and effective IoT management involves recognizing patterns and responding accordingly. The power of IoT devices comes with a risk: Security. Capgemini stresses the importance of ground-up security investment, as a flawed architecture will always present certain risks even if it’s patched and monitored. ... Other components of a company’s resources need to be secured as well, but it’s important to recognize the unique nature of IoT devices and implement appropriate solutions instead of trying to fold IoT devices underneath a broader, but incompatible, security umbrella.

Using intelligence to advance security from the edge to the cloud

Security increasingly is a team sport not only within an enterprise but across the customer network. Intelligence data, in particular, gets better with additional signals coming in, and so we’re increasing the ability for customers and partners to collaborate with us, with one another and with their own customers. Today we’re announcing the preview of a new Microsoft Graph security API for connecting to Microsoft products powered by the Microsoft Intelligent Security Graph. The new security API provides an integration point that allows technology partners and customers to greatly enhance the intelligence of their products to speed up threat investigation and remediation. Already, leading companies like Palo Alto Networks, PwC and Anomali are exploring the security API for their own solutions. And because we’re committed to collaborating with customers and partners to enable integration between Microsoft’s security technology and the broader ecosystem, we are also announcing the new Microsoft Intelligent Security Association.

Security budgets up, but talent scarce, says Isaca

The data also shows that gender disparity can be mitigated through effective diversity programs. In organisations with a diversity program, men and women are much more likely to agree that men and women have the same career advancement opportunities. Some 87% of men said they have the same opportunities, compared with 77% of women. Another positive finding is that security managers are seeing a slight improvement in the number of qualified candidates. Last year, 37% said fewer than 25% of candidates for security positions were sufficiently qualified. This year, that number dropped to 30%. Budgets are also increasing, with 64% of respondents indicating that security budgets will increase this year, compared with 50% last year. “This research suggests that the persistent cyber security staffing problem is not a financial one. Even though enterprises have more budget than ever to hire, the available workforce lacks the skills organisations critically need,” said Isaca CEO Matt Loeb.

Cryptographers spank blockchain, social media

Marlinspike said blockchain's distributed nature can show value, but he said the problem is that there are not many apps where distributed is valued. "The consumer space sees zero value," he added, noting that blockchain reminds him of the peer-to-peer crazy in the early 2000s. "There were a lot of people with a lot of enthusiasm and ideas about a lot of great things, but it was not very sound." Marlinspike had similar feelings on social media, which he said has suffered a substantial perception hit in the past year. "The utopian narratives of connecting the world and organizing information is coming to an end.," he said. "Across all contexts and political spectrums, people are seeing social technology less as a hopeful tool for a brighter, better tomorrow and more like weapons everyone simultaneously thinks are in the wrong hands." He said this has direct consequences on society and things people are doing [at RSA] and what people and thinking in the worlds of privacy and cryptography."

Technology doesn’t mean you can forget the basics of customer service

Whether you step into a store, or order your shopping online, you expect a level of personalisation. No individual, or customer, is the same and should not be treated with the same manner, temperament and style of service. 66% of all consumers say they’re extremely or somewhat likely to switch brands if they feel like they’re treated like a number rather than an individual. With the explosion of data and digital interactions, customers now expect a more tailored service. One example of a company that aims to deliver this highly personal experience is Atom Bank, which lets customers design their own user interface when signing up to an account – whether that’s a brand logo, colour scheme or name. Speaking of this strategy, the bank has stated that “no one should have exactly the same experience of Atom”. This example, combined with plans to let customers access accounts through biometrics, perfectly showcases how some brands are making completely digital interactions as personal as if you were dealing with them face to face.

Stresspaint Malware Campaign Targeting Facebook Credentials

On April 12, 2018, Radware’s threat research group detected malicious activity via internal feeds of a group collecting user credentials and payment methods from Facebook users across the globe. The group manipulates victims via phishing emails to download a painting application called ‘Relieve Stress Paint.’ While benign in appearance, it runs a malware dubbed ‘Stresspaint’ in the background. Within a few days, the group had infected over 40,000 users, stealing tens of thousands Facebook user credentials/cookies. This rapid distribution and high infection rate indicates this malware was developed professionally. The group is specifically interested in users who own Facebook pages and that contain stored payment methods. We suspect that the group’s next target is Amazon as they have a dedicated section for it in the attack control panel. Radware will continue to analyze the campaign and monitor the group’s activity. Prior to publication of this alert, Radware has detected another variant of the malware and saw indication of this new version in the control panel.

Chatbots are dead. A lack of AI killed them.

While Bloch is right to say that "No one can point to a chatbot that 'all your friends were using'" as "Such a thing simply never existed," once upon a time many pundits pointed to chatbots as the future of commerce, social, and just about everything else. Chatbots were one of the big themes of Mobile World Congress 2017, with the conference organizers summarizing the buzz from main stage and hallway conversations thus: "There was overwhelming acceptance at the event of the inevitable shift of focus for brands and corporates to chatbots (often referred to as 'conversational commerce'), reflecting the need for brands to go where consumers are, even if many companies remain uncertain at this stage of the eventual outcome." While they went on to acknowledge that "the true potential of chatbots will require further advances in AI and machine learning," the people behind the industry's biggest mobile event felt the only significant question around chatbots had to do with who would dominate, and not whether chatbots would take off: "Will a single platform emerge to dominate the chatbot and personal assistant ecosystem?"

Five Surprising Reasons to Invest in Better Security Training

A businesswoman training colleagues in a meeting room.
Seventy-one percent of attacks against healthcare companies fall into this category, while 58 percent of incidents in financial services, the most-attacked sector, originate from insiders. The majority of these insiders are inadvertent actors — mostly employees who were tricked into initiating the attacks. These numbers expose the inadequacy of today’s normal training programs. They’re not frequent, memorable or thorough enough. In other words, they’re not working. The bottom line is that training has not kept up with the evolution of cyberthreats or their remedies. That’s why it’s more important than ever to implement the best possible tools to protect sensitive data. But decision-makers must remember that even the best software cannot stop all threats. For example, any employee with access to any phone anywhere at any time is potentially vulnerable to social engineering. The reality of bring-your-own-device (BYOD) environments is that employees may be connecting to company resources at all hours and exposing their devices to threats in arbitrary locations and over insecure networks. 

IoT devices could be next customer data frontier

Finally we, have sensors like iBeacons sitting in stores, providing retailers with a world of information about a customer’s journey through the store — what they like or don’t like, what they pick up, what they try on and so forth. There are very likely a host of other categories too, and all of this information is data that needs to be processed and understood just like any other signals coming from customers, but it also has unique characteristics around the volume and velocity of this data — it is truly big data with all of the issues inherent in processing that amount of data. The means it needs to be ingested, digested and incorporated into that central customer record-keeping system to drive the content and experiences you need to create to keep your customers happy — or so the marketing software companies tell us, at least. ... Regardless of the vendor, all of this is about understanding the customer better to provide a central data gathering system with the hope of giving people exactly what they want. We are no longer a generic mass of consumers.

DDoS attacks cost up to £35,000

The research also highlights the growing complexity of DDoS attacks, and their capacity to act as a distraction for more serious network incursions. The majority of those surveyed (85%) believe that DDoS attacks are used by attackers as a precursor or smokescreen for data breach activity. In addition, 71% reported that their organisation has experienced a ransom-driven DDoS attack. “A DDoS attack can often be a sign that an organisation’s data is also being targeted by cyber criminals. As demonstrated by the infamous Carphone Warehouse attack, DDoS attacks can be used as a smokescreen for non-DDoS hacking attempts on the network,” said Stephenson. “Hackers will gladly take advantage of distracted IT teams and degraded network security defences to exploit other vulnerabilities for financial gain. Considering the huge liability that organisations can face in the event of a data breach, IT teams must be proactive in defending against the DDoS threat, and monitor closely for malicious activity on their networks,” he said.

Quote for the day:

"To have long term success as a coach or in any position of leadership, you have to be obsessed in some way." -- Pat Riley

Daily Tech Digest - April 17, 2018

Why router-based attacks could be the next big trend in cybersecurity

The joint report indicates that once attackers have exploited SMI commands, "for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access routers," which allows the attacker to act as a man-in-the-middle, further enabling them to exfiltrate additional network configuration data, modify device configurations, copy OS data to an external server, create GRE tunnels, and mirror or redirect network traffic. In order to avoid risks to your organization, the report advises blocking Telnet use entirely as well as SNMPv1 and v2c, and analyzing logs for any SNMP traffic, noting that "Any correlation of inbound or spoofed SNMP closely followed by outbound TFTP should be cause for alarm and further inspection." Additional mitigations include standard precautions such as not duplicating passwords between devices, not using default device passwords, and not allowing internet access to the management interface of devices.

DataStax Enterprise 6: Faster, fit and finish

Cassandra offers a "masterless" architecture, which means no single node is indispensable to the cluster. This enhances fault tolerance, availability and resiliency, but it has also created a burden: node repair operations, necessary to support the architecture, have been manual and arduous. In DSE 6, a new "NodeSync" feature makes node repair a completely automatic and implicit operation. Effectively, with the version 6 release, DSE becomes self-repairing. And while OpsCenter will still provide an interface to monitor the operation, such monitoring is purely optional, as the operation is now autonomous. Features like this one make it crystal-clear that DataStax understands Enterprise pain points and wants to address them head-on. Another proactive and automated feature in the care and feeding of DSE nodes is "TrafficControl." This feature will address Java Virtual Machine stress and other overload effects when too many concurrent requests are routed to a particular node in the cluster. The feature orchestrates the requests by queuing them, thus allowing the node to process them in an orderly fashion.

Machine learning is the new normal: AWS

Speaking at the AWS Summit in Sydney this week, Olivier Klein, head of emerging technologies at AWS in the Asia-Pacific region, said that the cloud service provider wants to push such capabilities into the hands of more people – from data scientists and developers to IT professionals. “Machine learning is now the new normal,” he said, adding that organisations that know how to harness machine learning will be successful, because they can get better, faster and more accurate predictions of their customer needs. This will help to improve customer experiences, starting with the ability to understand user interactions with sensors, internet of things devices and websites, through machine learning techniques. Take New Zealand-based Magic Memories, for instance. The supplier of guest photography services at theme parks has been using wristbands and AWS’s Rekognition artificial intelligence (AI) service to identify guests who may appear in different images, according to its head of engineering CJ Little.

How CIOs partner with CMOs to transform customer experience

How CIOs partner with CMOs to transform customer experience
Customer experience is the responsibility of every employee in the enterprise. But CIOs and CMOs, in particular, share a variety of corresponding and complementary objectives when it comes to customer experience strategy. This makes partnership not only desirable, but necessary. “When CMOs lead customer experience, they need a lot of cooperation across the enterprise, but typically the CIO is the most vital partner they can have,” says Augie Ray, a Gartner research director who covers customer experience (CX) for marketing leaders. “The reason for this is that information and insight are the lifeblood of customer experience. You cannot be customer-centric and make outside-in decisions unless you have the data, analysis and, understanding about what customers perceive, want, expect, feel, and do. Technology budgets worldwide reflect the criticality of tight alignment between marketing and IT. According to IDG’s 2018 State of the CIO Survey, 42 percent of global marketing teams have budgets specifically earmarked for investments in technology products and services.

Research finds that Open Banking has a Consumer Perception Problem

The research strongly suggests that banks are doing little to communicate with the consumer as 85 per cent of consumers have either never heard of, or are unsure what the Open Banking initiative is and how it will affect them. This is despite the Financial Conduct Authority (FCA) ordering nine of the country’s biggest banks – several of which missed the 13 January launch – to open up the information they hold so that it can be used to create new banking products and services. In addition to only one-in-six (14.3 per cent) being aware of the Open Banking initiative, less than a quarter (22.8 per cent) of respondents had heard about it directly from their own bank or building society. CREALOGIX is a fintech top 100 firm and a global market leader in digital banking. Its fintech solutions offer bank clients a better customer experience, greater security and effortless online money management. The CREALOGIX product and service range spans the areas of Digital Banking, Digital Payment and Digital Learning.

Successful Hybrid IT Deployment by Accident? Nope, It Takes Planning

Businesses that design their hybrid IT strategy by implementing two key technologies are more successful. These technologies include the use of continuous delivery automation and composable infrastructure. Continuous delivery is important because it promotes a constant, iterative development environment that is essential for keeping up with the changing needs of users. Composable infrastructure is also vital because it allows infrastructure to be treated as software code. IT operators can quickly and easily construct new infrastructure from a collection of building blocks, using software-defined, policy-based templates. Businesses that adopt continuous delivery combined with composable infrastructure report greater control over their workloads— 61% say they have extremely high levels of control, compared to 24% of those without these two technologies. Both technologies used together allow organization to better overcome challenges, realize innovation faster, and gain greater control over workloads.

How to Achieve #DigitalTransformation

The digital transformation starts by understanding the organization's business initiatives, and then prioritizing which initiatives are top candidates for enhancement through digital transformation. "Begin with an end in mind" to quote Stephen Covey. Organizations can then create a digital transformation roadmap that dictates how the organization leverages data, analytics (data science) and application development capabilities to deliver cloud-native "intelligent" applications (applications embedded with machine learning and artificial intelligence to optimize key processes and business decisions) and "smart" entities (that leverage the edge, fog and core IoT analytics to support the creation of "learning" business entities such as cities, cars, airports, hospitals, utilities and schools. In the end, digital transformation helps organizations become more effective in leveraging data and analytics to power their business models by optimizing key business processes, reducing security risks, uncovering new revenue opportunities and create a more compelling customer engagement and creating a more compelling, more prescriptive customer engagement

AI & Jobs: Retraining will become a 'lifelong necessity', warns report

"As AI decreases demand for some jobs but creates demand for others, retraining will become a lifelong necessity and pilot initiatives, like the Government's National Retraining Scheme, could become a vital part of our economy," the report states. "This will need to be developed in partnership with industry, and lessons must be learned from the apprenticeships scheme." Childhood education will also need to be reformed, according to the report, with schools teaching both the skills needed to work alongside AI and to take full advantage of the technology available. "For a proportion, this will mean a thorough education in AI-related subjects, requiring adequate resourcing of the computing curriculum and support for teachers," it states. "For all children, the basic knowledge and understanding necessary to navigate an AI-driven world will be essential. In particular, we recommend that the ethical design and use of technology becomes an integral part of the curriculum."

Blockchain Implementation With Java Code

Another significant technical point of blockchain technology is that it is distributed. The fact that they are append-only helps in duplicating the blockchain across nodes participating in the blockchain network. Nodes typically communicate in a peer-to-peer fashion, as is the case with Bitcoin, but it does not have to be this way. Other blockchain implementations use a decentralized approach, like using APIs via HTTP. However, that is a topic for another blog. Transactions can represent just about anything. A transaction could contain code to execute (i.e Smart Contract) or store and append information about some kind of business transaction. Smart Contract: computer protocol intended to digitally facilitate, verify, or enforce the negotiation or performance of a contract. In the case of Bitcoin, a transaction contains an amount from an owner’s account and amount(s) to other accounts. The transaction also includes public keys and account IDs within it, so transferring is done securely. But that’s Bitcoin-specific. Transactions are added to a network and pooled; they are not in a block or the chain itself.

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

The Senrio attack starts by targeting a security camera that is still vulnerable to an inveterate IoT bug the researchers disclosed in July, know as Devil’s Ivy. Using an unpatched Axis M3004-V network camera as an example, an attacker would find a target exposed on the public internet to start the attack, and then use the Devil’s Ivy exploit to factory reset the camera and take over root access, giving them full control over it. Once the attacker has taken over the camera, they can view the feed. In the scenario the Senrio researchers imagine, this IP camera has been rightly cordoned off from the rest of the network, able to communicate only with a router. Even with that well-intentioned stab at segmentation, the attacker can simply springboard from the camera to attack the router next. With a compromised camera, the attacker can find out the router’s IP address and its model number tohelp determine whether it has any vulnerabilities. In Senrio’s attack, the router is a TP-Link TL-WR841N that's still vulnerable to a custom code-execution vulnerability

Quote for the day:

"Authority without wisdom is like a heavy axe without an edge, fitter to bruise than polish." -- Anne Bradstreet

Daily Tech Digest - April 16, 2018

Busted! Cops use fingerprint pulled from a WhatsApp photo to ID drug dealer

Cops use fingerprint pulled from a WhatsApp photo to ID drug dealer
A bust resulted in the police getting hold of a phone that had a WhatsApp message and image of ecstasy pills in a person’s palm. The message read: “For sale – Skype and Ikea-branded ecstasy pills…are you interested?” The phone was sent to South Wales Police where the photo showing the middle and bottom portion of a pinky was enhanced. As for fingerprint identification, the BBC reported that “a search of the national database did not bring a match” as “when offenders give fingerprints, it is just the top part taken — with the middle and bottom part only occasionally left.” Here’s where it gets a bit confusing, as a different BBC article stated that “other evidence meant officers had an idea who they believed was behind the drugs operation.” Although that makes it sound like tips from locals about “a large number of visitors to one address” was the real way cops found the guy whose partial pinky was in the photo, Dave Thomas of the South Wales Police’s scientific support unit told the BBC, “While the scale and quality of the photograph proved a challenge, the small bits were enough to prove he was the dealer.”

Overclock puts your idle servers to work for other people

Overclock puts your idle servers to work for other people
Once you set up the Akash agent, you are done. Workloads are sent to your servers, they're executed, the results are sent back, and shut down. No intervention is needed on your part. That said, Overclock does provide the necessary tools to configure, deploy, monitor, and manage the workloads. A developer who needs the resources specifies their deployment criteria, such as resources needed, topology, and the price they are willing to pay, in a posting to the Akash blockchain. Providers with server cycles to offer automatically detect the new bid request and programmatically bid to host it. The lowest bid wins the auction, a lease is created, and the parties exchange keys. All of this is done with no human intervention. The Akash agent then begins picking up workloads in Docker containers, orchestrated by Kubernetes and distributed over Akash’s peer-to-peer file sharing protocol. Your applications can be run as is because they run in Docker containers. Payment via the Akash token is also done via the blockchain, allowing for a full audit of transactions by lessors and lessees.

Is Hybrid Cloud Right For Your Organization?

Hybrid cloud is less about using private and public cloud in concert for the same applications — and more about using the right mix of these separate and distinct computing resources to accomplish your organization’s overall IT objectives. As the name suggests, private cloud is a secure, private computing environment in which only a single organization operates. The pubic cloud, meanwhile, includes Amazon Web Services (AWS), Microsoft Azure and the Google Cloud Platform. And common SaaS subscription providers include Salesforce, Office365, Google Apps, Workday and Cisco WebEx. According to IDG, all eyes have been on the public cloud over the last few years, but private and hybrid clouds are set for big growth in 2018. Each of the major IaaS public cloud vendors spent 2017 clarifying their hybrid cloud strategy, setting 2018 to be the year of adoption. The biggest effort has come from Microsoft who finally released Azure Stack, a private cloud IaaS platform that is meant to mirror the Azure public cloud. Deployments of Azure Stack have been hitting the market this year.

Get an AI Head Start: Buy It

(Image: maxuser/Shutterstock)
If you are buying your AI from SAP or Oracle, and your competitor is buying the same thing from SAP or Oracle, how do you get a competitive edge? Isn't that a pretty level playing field? What's the point? Your data itself will be the real competitive edge going forward. AI solutions will become commoditized. But your data remains proprietary and valuable. Flannagan told me that in almost every meeting he has with customers, executives are recognizing that their data has value, either for internal purposes or for selling to a data partner. That's what the third-party experts are saying, too. "Enterprises that are leveraging the AI investments built into enterprise platform software need to look beyond algorithms for competitive differentiation," Purcell told me. "At the end of the day, the machine learning algorithms at the brain of AI are commoditized and widely available in open source as well as vendor technologies. Data will be the key source of competitive differentiation in the world of AI -- emerging data sources, innovative data transformations, and business-infused data understanding will lead to better models and ultimately better results from AI."

Large Majority of Businesses Store Sensitive Data in Cloud Despite Lack of Trust

Survey results show once it's in the cloud, this information is at risk. One in four organizations using infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS) has had their data stolen. One in five has been hit with an advanced attack against their public cloud infrastructure. McAfee researchers discovered an overall decline in the "cloud-first" mentality, with only 65% of respondents reporting a cloud-first strategy compared with 82% one year ago. This drop can be attributed to two factors, says Vittorio Viarengo, vice president of marketing for McAfee's Cloud Business Unit. The first is a growing awareness of the responsibility that comes with storing data in the public cloud. "Customers are realizing they're still on the hook to provide security for some of the things that happen in the cloud," he explains. They're learning, for example, service providers don't ensure their logins are properly set up, or the security risks of remote employees using cloud services. They're learning what they're responsible for when they use IaaS platforms versus SaaS.

It's time to rebuild the web

Stone wall
We'd also need to avoid many of the privacy and security flaws that were rampant in the early internet, and for which we're still paying. That technical debt came due a long time ago. Paying off that debt may require some complex technology, and some significant UI engineering. All too often, solutions to security problems make things more difficult for both users and attackers. Crowdflare's new service addresses some basic problems with our DNS infrastructure and privacy, and their CEO proposes some more basic changes, like DNS over HTTPS. But even simple changes like this require non-technical users to change configuration settings that they don't understand. This is where we really need the help of UX designers. We can't afford to make "safe" difficult. And we'd have to admit that our current web, with all its flaws, evolved from these simple building blocks. To some extent, then, it's what we wanted—or, perhaps, what we deserved. It's certainly what we accepted, and begs the question: "why wouldn't we accept the same thing again?"

CrowdStrike tools help businesses recover quickly after cyberattack

By leveraging contextual data and technologies like machine learning, security advances like those from CrowdStrike could help cyber professionals more effectively protect their organizations and respond to attacks. The cornerstone of this approach is CrowdStrike's Falcon X. Built on the existing Falcon platform from Crowdstrike, Falcon X is an endpoint solution that combines "malware sandboxing, malware search and threat intelligence into an integrated solution that can perform comprehensive threat analysis in seconds instead of hours or days," according to a press release. According to the Falcon X release, the tool offers indicators of compromise (IOCs) for the threat it comes across in your organization, along with all of its known variants. Additionally, integrated threat intelligence makes it easier for human cybersecurity pros to research and defend against threats. Falcon X is known for five core capabilities: Automated threat analysis of quarantined files, malware search on the CrowdStrike Falcon Search Engine, malware analysis, threat intelligence, and custom-tailored intelligence for your organization, the release said.

The Quirky Secrets of the World’s Greatest Innovators

Innovators are also typically blessed (or cursed) with a deep sense of what psychologists call self-efficacy, which is a nice word for what, in other contexts, might be called hubris: the conviction that one can accomplish whatever one sets one’s mind to. This is crucial because the very nature of breakthrough innovations means that most people will be skeptical of their value. Indeed, most of the people Schilling writes about were, in one sense or another, outsiders in the fields they helped revolutionize. They were also idealists, convinced that they could change the world. As Schilling puts it, “They are willing to pursue an idea even when everybody else says it’s crazy precisely because they don’t need the affirmation of others — they believe they are right even if you don’t agree.” It was that sense of self-efficacy that allowed Elon Musk to believe he could become the first civilian to put rockets into space, and that allowed Dean Kamen to build a wheelchair that could climb stairs, even though everyone told him it was impossible.

Managing Data in Microservices

High-performing organizations with these kinds of requirements have some things to do. The DevOps Handbook features research from Gene Kim, Nicole Forsgren, and others into the difference between high-performing organizations and lower-performing ones. Higher-performing organizations both move faster and are more stable. You don't have to make a choice between speed and stability — you can have both. The higher-performing organizations are doing multiple deploys a day, versus maybe one per month, and have a latency of less than an hour between committing code to the source control and to deployment, while in other organizations that might take a week. That's the speed side. On the stability side, high-performing organizations recover from failure in an hour, versus maybe a day in a lower-performing organization. And the rate of failures is lower. The frequency of a high-performing organization deploying, having it not go well, and having to roll back the deployment approaches zero, but slower organizations might have to do this half the time. This is a big difference.

Can the Law Stop Ransomware?

Cybersecurity experts and legal scholars contend that the best approach is preparation: following best practices such as regularly backing up data, educating employees about threats and risks and maintaining robust firewalls. That approach, however, has continued to lag, with cash-strapped cities and states often still unable to afford or simply unwilling to make the costly systems upgrades frequently needed to seal off vulnerabilities. Atlanta Mayor Keisha Lance Bottoms, for example, acknowledged to The New York Times that cybersecurity had not been a priority until the city was attacked. "Cybersecurity, it's something that is abstract, it's invisible, so in politics it's difficult to say, 'OK, we're going to spend $10 million on cybersecurity,'" says Cesar Cerrudo, chief technology officer of IOActive Labs. ... That's created the surreal scenario of city councils, state governments and even police departments agreeing to pay ransoms simply to get their stuff back. Indeed attackers deliberately set the ransoms low enough that the risk of losing the files altogether – or the expense of hiring a security firm to try to recover them – simply isn't worth it.

Quote for the day:

"Behind every beautiful thing, there's been some kind of pain." -- Bob Dylan

Daily Tech Digest - April 15, 2018

AI and machine learning are forcing CIOs to rethink IT strategies
Machine learning can be the IT pro’s best friend; they just need to realize how it can be used to make their jobs easier." This makes sense because the use of machine learning will be a “crawl-walk-run” for most organizations, as they will apply it in phases. The first phase will be using it to describe something. It analyzes the data and helps interpret it. The next phase is more cognitive where the AI can start to solve problems. The third phase will see the technology start to predict things. For example, it could perhaps predict that a security breach is going to occur based on other data.  The last phase, and we are years away from this, is prescriptive where the AI is able to predict things and then take action to remediate the action. In the previous example, it could not only predict a breach, but it could then take the necessary steps to ensure it doesn’t happen. For this to occur, the AI would use itself in an iterative manner.

Machine learning & language complexity: why chatbots can’t talk… yet

Most of the value of deep learning today is in narrow domains where you can get a lot of data. Here’s one example of something it cannot do: have a meaningful conversation. There are demos, and if you cherry-pick the conversation, it looks like it’s having a meaningful conversation, but if you actually try it yourself, it quickly goes off the rails. In fact, anything that’s a bit too much open domain is beyond what we can currently do. Instead, in the meantime, we can use these systems to assist human workers who then offer and correct their responses. That’s much more feasible. When they interact with others, people tend to express the same intent with different words, potentially over several sentences with different word orders. Talking to chatbots can sometimes be challenging — current chatbot solutions don’t allow diversity. Therefore, you’d better format your dialogue in order to be understood. This is frustrating.

The Cold Start Problem with AI

Any company either startup or enterprise, who wants to take advantage of AI, needs to ensure that they have actual useful data to start with. Where some companies might suffice with simple log data that is generated by their application or website, a company that wants to be able to use AI to enhance their business/products/services, should ensure that the data that they are collecting is the right type of data. Dependent on the industry and business you are in, the right type of data can be log data, transactional data, either numerical or categorical, it is up to the person working with the data to decide what that needs to be. Besides collecting the right data, another big step is ensuring that the data that you work with is correct. Meaning that the data is an actual representative of what happened. If I want a count of all the Payment Transactions, I need to know what is the definition of a Transaction, is it an Initiated Transaction or a Processed Transaction? Once I have answered that question and ensured that the organization agrees on it, can I use it to work with.

How Blockchain Will Change the Sharing Economy

Think of how the sharing economy has exploded in the past decade. If you’ve taken an Uber to the airport or rented an Airbnb, you’ve been a part of it. We’re even at a point where renting out personal items is a viable business model. For example, Omni Storage stores items you’re not using — just like a normal storage company — but they also rent your items out to people. Skis, guitar, winter jacket. It’s all available for rent (with the owner’s permission) via an app. We all hold onto certain possessions, because we plan to use them eventually. Or so we tell ourselves. Why not make some money off of our stuff instead of letting it go unused? That question is at the heart of the sharing economy, and we’re going to be hearing a lot more about businesses like Omni in the next few years. This is what it can look like if blockchain is involved. Futuristic sharing concepts will only work if many other considerations are taken care of. Each item has to be documented, proven authentic, assigned a current value, and even insured. And blockchain can be extremely useful here.

Will artificial intelligence make you a better leader?

Leading with inner agility
In our experience, AI can be a huge help to the leader who’s trying to become more inwardly agile and foster creative approaches to transformation. When a CEO puts AI to work on the toughest and most complex strategic challenges, he or she must rely on the same set of practices that build personal inner agility. Sending AI out into the mass of complexity, without knowing in advance what it will come back with, the CEO is embracing the discovery of original, unexpected, and breakthrough ideas. This is a way to test and finally move on from long-held beliefs and prejudices about their organization, and to radically reframe the questions in order to find entirely new kinds of solutions. And the best thing about AI solutions is that they can be tested. AI creates its own empirical feedback loop that allows you to think of your company as an experimental science lab for transformation and performance improvement. In other words, the hard science of AI can be just what you need to ask the kind of broad questions that lay the foundation for meaningful progress.

200,000 Cisco Network Switches Reportedly Hacked

In its blog post, Kaspersky Lab states: "It seems that there's a bot that is searching for vulnerable Cisco switches via the IoT search engine Shodan and exploiting the vulnerability in them (or, perhaps, it might be using Cisco's own utility that is designed to search for vulnerable switches). Once it finds a vulnerable switch, it exploits the Smart Install Client, rewrites the configuration and thus takes another segment of the Internet down. That results in some data centers being unavailable, and that, in turn, results in some popular sites being down." In an advisory on Cisco switch vulnerability issued Monday, the Indian Computer Emergency Response Team stated multiple vulnerabilities have been reported in Cisco IOS XE ,which could be exploited by a remote attacker to send a crafted packet to an affected device and gain full control also conduct denial of service condition.

Cyber Accountability: The Next Boardroom Struggle

Cyber Accountability: The Next Boardroom Struggle
The data protection officer will also need the right tools in place to monitor irregularities and work with the CISO network team. Real-time analysis at the network level will give businesses an indication of the files or data that have been transferred or viewed from the network environment. This will support any breach reporting and give an organisation the means to handle the reputational aspect of a breach fallout, and rapidly understand what data has been accessed and how to respond. The next key part of the puzzle is for a business to have a slick process for reporting and communicating breaches to the regulator, customers and any other affected parties. Practice is the only way to prepare: define a process, rehearse it in simulations with the required decision makers, refine it, and repeat as the business and regulatory environment shifts, year on year. Complement this with a clear and defined internal procedure so all staff know what to do should and who they need to speak to if they notice something awry.

Graph databases and machine learning will revolutionize MDM strategies

Traditional MDM has been around since the early 2000’s. As data volume has grown and the potential value of analytics has exploded, enterprises seeking to compete on analytics struggle to scale mastering efforts with the surfeit of available data sources. Clearly, creating robust data engineering pipelines to unify this data at scale is more important -- and harder -- than ever. An “agile” approach, utilizing machine learning can cut time required for unification or analytics projects (around 90%) while scaling to more sources than other traditional approaches. Moreover, given the scale of enterprise data, automation is the key to agility and scale. Such enterprise data automation can only be achieved with some human oversight to make sure the results are fast and accurate. Not just raw data scalability, but also human process scalability is enabled by machine learning.

Managing vulnerabilities in the cloud . . . and everywhere else

Managing vulnerabilities in the cloud . . . and everywhere else
The public and, more importantly, governmental leaders are loosing patience with companies that fall victim to attacks because they didn’t address known vulnerabilities with available patches and highly publicized exploits. Aside from how dangerous the leaked NSA–developed exploits can be in the hands of cybercriminals, attacks like WannaCry showed us how connected we are. The “ransomworm” spread like wildfire through networks and jumped into new areas through third–party connections. Where there was a path, there was a way. This should be of concern, especially amid the move to the cloud where complexity and visibility challenges only become more daunting.  To stay safe in the era of distributed attacks and cloud–first strategies, organisations need to rethink how they view their attack surface. Attackers don’t see your network with distinct boundaries, and neither can you. No matter if it’s your physical, virtual or cloud network — you need to approach security holistically and centralize management.

IT’s worst addictions (and how to cure them)

IT̢۪s worst addictions (and how to cure them)
While technology addiction is a real thing, especially for teenagers, IT pros have their own monkeys on their backs. Whether you're an infrastructure junkie or a Slack head, chasing the data dragon or mesmerized by the blinking lights on your network operations center dashboard, your tech addictions can kill productivity, sap budgets and stall innovation. An inability to relinquish control can lead to technology silos and turf wars. Overdependence on artificial intelligence can actually hurt, not help, your company. And while everyone loves shiny new toys, they may not be the most cost-effective solutions for your organization. The first step on the road to recovery is admitting you have a problem. The next step is reading our prescriptions for how to kick your bad habits and get clean again. "Organizations are caught in analysis paralysis," says Sarah Kampman, vice president of product at Square Root, whose CoEfficient SaaS platform helps retailers and automotive brands make sense of their data. "The information isn't translating into behavioral changes that drive success."

Quote for the day:

"Don’t be so quick to label something as “bad.” It may be the thing that takes you to success." -- Tim Fargo