Daily Tech Digest - August 02, 2018

How You Can Bridge the IT Training Gap

Image: Shutterstock
"Organizations must ensure they’re creating opportunities for staff to get to know the business beyond just their department," noted Timothy Wenhold, chief innovation Officer at Power Home Remodeling, a national home remodeling firm. "When we onboard new hires, we have them spend two weeks shadowing every department, regardless of their level and years of experience," he said. "This gives the staff the direction needed to align their technical training goals so that they match the business’ needs." Ideally, there should always be a mix of different types of training. "The organization may want to carry out some type of assessment prior to the training to understand what areas should be addressed over others," suggested Ben Jordan, a security specialist with cybersecurity firm GreyCastle Security. "After trainings are completed, employees should be given the opportunity to give feedback about the training." "Whether IT training happens in a classroom, on the computer, on the job, or on your own — internally, externally or a mixture of both — all this matters less than ensuring that training is a reoccurring program and not a one-time, easily forgotten session," commented Thomas LaMonte, a senior analyst with tech research firm Gartner Digital Markets.



Mexico's fintech industry is on fire

Passed in early March 2018, Mexico’s fintech law received support from every major party, passing with 75 percent of the votes. And though it did place some restrictions on the space, the law was overwhelmingly supportive of the industry as a whole. The law even provided a loose definition of digital assets: “"...the representation of value registered electronically and used by the public as a means of payment for all types of legal acts and whose transfer can only be carried out through electronic means." This is important because it opened the door for fintech companies to utilize cryptocurrencies in remittance transactions, a space which accounted for over $28 billion coming into the country, representing 10 percent of Mexico’s total GDP growth in 2017. Before, these payments carried significant fees and could take days to process, but with the new law, citizens can now access these services through fintech institutions utilizing cryptocurrencies at a lower rate and with much faster processing times.


Microsoft rejiggers Windows 10 Enterprise subscriptions, pricing

p1240491 19
Changes to Windows 10 Enterprise were spelled out in some detail, even though new pricing was not disclosed. "For Windows, we're taking steps to recalibrate the price and rename the per device/per user offers, optimizing on our strategy of Microsoft 365," Microsoft wrote in an FAQ. "Part of this is about clarity," said Wes Miller, an analyst with Kirkland, Wash.-based Directions on Microsoft, talking about licensing. But he also said the changes, both in pricing and nomenclature, are further efforts by Microsoft to move customers to the licensing model where rights are tied to users, not to devices. Server-based desktops, for example, are only possible under Microsoft's per-user licensing, Miller pointed out. Windows 10 Enterprise E3 and Windows 10 Enterprise E5 debuted in 2016, when Microsoft began selling subscriptions to the operating system, specifically Windows 10 Enterprise, the operating system's top-tier version. Unlike Microsoft's legacy licensing - in which the operating system is licensed on a per-device basis - the E3 and E5 subscriptions are per-user. A licensed user could work at any of five allowed devices equipped with Windows 10 Enterprise.


DNS: Strengthening the Weakest Link

New specifications were defined in 2005 to address DNS’s lack of security. DNS Security Extensions (DNSSEC3) provides origin authentication, data integrity and authenticated denial of existence. However, the specifications do not address availability or confidentiality. The main goal of DNSSEC was to preclude DNS spoofing or DNS cache poisoning. DNSSEC adoption remains a long-term challenge and implementation has been slow. According to ISOC4, only about 0.5% of zones in .com are signed. That’s because when compared to DNS, DNSSEC is complex, introduces computation and communication overhead to DNS and requires significant infrastructure changes for organizations. IT organizations should make DNS infrastructure protection top of mind due to the absence of built-in security mechanisms in the DNS protocol. Specifically, DNS security requires rethinking perimeter security. Many organizations address DNS security by provisioning a DNS firewall and/or competent DNS servers, leaving the perimeter unattended.


How to identify and protect high-value data in the enterprise


The definition of high-value data is not one size fits all, as we all define our data differently. When considering what high-value data is versus what is just regular data, it is important to take a step back and use a holistic, risk-based approach; classify your data based on what can impact you the least to the most. Consider adding a few flavors to your data classification formula, such as the value of the data, the consequences of the loss or exposure of that data, the likelihood of occurrences and risks to enhance your data classification, and also ensure that you are measuring and defining your data on a consistent basis. Using the above approach and examples, take a deep breath and two steps back. Close your eyes and list a few data assets around you. Classify them inside your head, spin it a few times and then write them down. Make sure you are not trying to capture all of the data at once, as doing so can be a dangerous move and will probably overheat your brain; limiting your scope is the key.


How GDPR Could Turn Privileged Insiders into Bribery Targets

GDPR mandates hefty penalties for companies that are breached. Penalties can reach as high as 4% of a violators' annual revenue. (Remember, Google and Facebook are already facing $9 billion in fines). This means that in many cases, penalties will far outweigh the actual cost of a breach, which criminals know. Rather than auction stolen data to fellow crooks for pennies or try and exact a ransom to unencrypt it, criminals will start to ransom stolen data back to the organizations they heist it from in exchange for not exposing it publicly. The extortion price will be substantially higher than what could be earned on the Dark Web but significantly lower than an actual GDPR breach fine. Paying extortion may create an ethical dilemma for companies, but it will make smart business sense as it will be much lower than financial penalties Privileged insiders are central to this scenario. Cybercriminals will be motivated to bribe them, as holders of the kingdom's keys, into giving up their credentials. Once criminals have hold of these, they will have an opportunity to earn payouts way beyond anything ever seen in the past.


Why innovation requires transformational leadership

We must continuously build and challenge our assumptions at the same time and let our direction and momentum be dictated by that process. One which is informed by what we know about today and as far as we can predict tomorrow. Unlike traditional ‘strategy’ that creates a much better readiness to change direction when required rather than clinging onto what worked a couple of years ago. That brings us on to another important element of transformational leadership and that is that the change line is not and never will be set in stone. When you think about it, that makes sense right? Your ambition for tomorrow is based on your knowledge and ability today. As your abilities grow and develop, as new technologies come on stream and as customer demands change it is only natural that your future ambitions will modify based on today’s scenario. Here again those leaders who seek to develop problem-solving flexibility within their organisations are the ones which are more likely to come out on top. And if you’re not going to be flexible, well then watch out for the 74% of leaders who research suggests are looking to be disruptors in their own sectors.


5 Artificial Intelligence Business Lessons From The Masters


Both IBM’s Dinesh Nirmal and O’Reilly’s Ben Lorica said preparing data for mathematical models was the primary bottleneck for AI. Nirmal's keynote focused on operationalizing AI. Nirmal described how real world machine learning reveals assumptions embedded in business processes and in the models themselves that cause expensive and time-consuming misunderstandings. Data hygiene has been a critical failure point that has thwarted analytics efforts since the dawn of time. However, it’s an even bigger issue as companies look to incorporate lots of data from various internal and third-party databases. IBM talked about the need for preparing data but also having a structure for AI model management. In a meeting with Ben Lorica, he noted there's a role within the AI/data science discipline called data engineer that assists in preparing data for the data scientists to use in the algorithm training process. Even in 2018, we're still trying to eliminate the garbage in yield garbage out problem.


Feds Announce Arrests of 3 'FIN7' Cybercrime Gang Members

"FIN7 is one of the most sophisticated and aggressive malware schemes in recent times, consisting of dozens of talented hackers located overseas," the Justice Department says in a fact sheet. The scale of FIN7's operations has been significant. In the U.S. alone, FIN7 allegedly stole "more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations," the Justice Department says. Many businesses have sought to better secure their payment card systems and networks in light of large intrusions in recent years affecting T.J. Maxx, Target, Home Depot and many others. But their efforts have not been fully effective. Indeed, the U.S. continues to suffer a payment card breach epidemic centered not just on restaurants, but also retailers and hotels. The problem is compounded by the ease of procuring card-scraping malware, designed to infect POS systems, as well as backdoor exploitation tools - such as the Carbanak backdoor - from underground cybercrime forums.


Preventing the next digital black swan: The auditor, the CISO and the C-Suite

On the surface, digital black swans may seem unforeseeable, but if you dig a little deeper, you’ll generally discover that many of these incidents could have been prevented. For instance, in the Equifax breach, hackers exploited a vulnerability that was publicly disclosed two months prior to the attack. If Equifax had installed the patch in a timely manner, this breach would likely have been prevented. The key to preventing digital black swans is carefully putting critical controls in place. There are a number of controls that companies can use to reduce the odds of experiencing a major cyberattack. For example, Equifax suffered from faulty vulnerability management. The credit reporting company had ample time to install a routine security update that would have prevented the cyber incident. Poor security practices at Equifax were systemic. Shortly after the breach, it was revealed that one of the company’s online employee portals could be accessed using the default credentials of “admin” as both the username and password. This simple negligence put millions of Americans’ data at great risk.



Quote for the day:


"Take time to deliberate; but when the time for action arrives, stop thinking and go in." -- Andrew Jackson