NIST SP 800-63 recommends using non-password methods where possible, and although the recommendations are definitely against forcing users to use very long and complex passwords, they don’t limit password length or complexity. When people are forced to create and use long, complex, and frequently changing passwords, they do a poor job at it. They reuse the same passwords among different websites or use only slightly different passwords, which create an easy-to-decipher pattern. If those same humans use MFA or other non-memorization authentication methods, then the overall risk of repeated passwords and patterns can be broken. If a person can use a password manager, which creates and uses long and complex passwords that the person doesn’t have to remember, then perhaps you can get the best of both worlds. Until recently, I had never completely depended on them, throwing all my memorized passwords away. I felt bad about recommending them without “living” with them.
Another Facebook patent application titled “Location Prediction Using Wireless Signals on Online Social Networks” describes how tracking the strength of Wi-Fi, Bluetooth, cellular, and near-field communication (NFC) signals could be used to estimate your current location, in order to anticipate where you will go next. This “background signal” information is used as an alternative to GPS because, as the patent describes, it may provide “the advantage of more accurately or precisely determining a geographic location of a user.” The technology could learn the category of your current location (e.g., bar or gym), the time of your visit to the location, the hours that entity is open, and the popular hours of the entity. For example, in the map below that demonstrates how the tech would work, Facebook would see that you are in geographic location 302 — and it could predict you’d be likely to go to locations 304, 306, and 308 next, based on places you’ve visited before (maybe you’ve gone to Starbucks after visiting Walgreens) or on the travel behavior of other users the same age as you.
The main conclusion is that the conformity — defined as adhering to conventional wisdom — that gets leaders to the top too often disqualifies them from grasping the scale and nature of disruption. Leaders are saddled with what Geoff Mulgan, chief executive of Nesta, a global innovation foundation in the United Kingdom, labels “zombie orthodoxies.” These leaders rise through the ranks listening and conforming to those like them. But disruption requires precisely the opposite: It needs leaders to think, and plan for, unthinkables. In order to do this, it is imperative to have a clear purpose and to embrace diversity, inclusivity, and new behaviors, which will help leaders understand and even anticipate the impact of disruption. It is an enormous Rubik’s Cube. As one top professional told us: Leaders today confront having to “eat an elephant in one mouthful.” This is not a case of trying to break down today's challenges into neat solutions.
Like von Schirmeister, Gideon Kay -- who is European CIO at Dentsu Aegis Network -- says IT leaders must be alert to the fact that people on the board increasingly have a take on technology, just like they would on sales, marketing and operations. Kay says CIOs must see this new interest in digital transformation as an opportunity to influence. "You don't have to bite your lip," he says. "Once you've built your credibility, which you need to do pretty quickly, and providing you've built a reputation for explaining technology in the right way -- which is about talking in terms of the business and commercial impact -- then you can give the business the definitive line on technology." Kays says CIOs can use their experience to say which services the business should be worried about, and which are the ones that don't matter: "These are the things that are hot, and these are the things that are not," he explains.
Having an organization-wide communications policy in concert with both organizational objectives and IT capabilities is a first step, just as is the case with BYOD and security. Solutions must similarly be in concert with this policy, and with no exceptions. Once the communications policy is in place, a solution set can be assembled and aligned with the general framework we introduced above. In general, the process here will follow that which is typically applied to all IT services, including a requirements analysis, service set definition, long and short lists of candidate products and services (and, increasingly rarely, new internal development), and experiential analysis and evaluation via alpha and beta tests. The rollout of the solution must be accompanied by consciousness-raising, education, support, and monitoring for management visibility with respect to both the policy and the solution. Once again, IT must reinforce the importance of using only approved channels and facilities and avoiding difficult-to-impossible-to-monitor out-of-band solutions, including social media.
Clearly, the way that some centralized identity databases are currently secured doesn't work. I believe that technology industry professionals should think outside the box to create a security solution for centralized databases. Some think blockchain is the answer. They believe that a distributed ledger could be used to decentralize identity information. Using the blockchain, identity information could be stored securely using cryptography. This is similar to how cryptocurrencies are cryptographically stored in wallets on the blockchain. A wide variety of identity documents could be stored on the blockchain in a single place — an identity wallet of sorts — and each wallet could have its own form of encryption. The main advantage of doing this is that the identity information would become decentralized on a distributed ledger. This would make it a lot harder for cybercriminals to perform large-scale identity data breaches because they would have to hack into each wallet individually.
Application automation and integration are central to nearly every project these days at Wilbur-Ellis, a $3 billion holding company, with divisions in agribusiness, chemicals and feed. "If I look back on the last three major projects, they all involve a separate system that has to integrate," said Dan Willey, CIO at the San Francisco-based company. Many of these iPaaS tools are conceptually good for modern, cloud-based companies, but sometimes you are saddled with an application that doesn't play well. In the case of Wilbur-Ellis, an ERP system by Oracle's JD Edwards is a stumbling block, Willey said. Wilbur-Ellis uses Dell Boomi's connectors to connect customer and order data. The company will also use the tool in a broader sense as an API management platform. "It's a hard problem to solve," Willey said. "It's interchanging between your tool sets, data in your back-end systems, front-end systems, IoT data and other things that need to be lined up to make it happen."
Three-quarters of enterprises this year discovered on their own they had been hacked rather than learning from a third party. The bad news: It took them an average of 85 days to spot an attack. That means hackers still have the upper hand. What's more, they only need less than two hours, on average, to move from the initially attacked machine to further inside a target's network, according to CrowdStrike, which today published its "Cyber Intrusion Services Casebook, 2018," a report on a sampling of its real-world incident response (IR) investigations for clients. "We noticed attackers this year were pretty brazen and stealthy: Eighty-six days [before getting discovered] is still a problem," even when victim organizations are getting better at self-detection, says Tom Etheridge, vice president of services for CrowdStrike. The number of hacked organizations that spotted their own attacks rose 7% this year over those from CrowdStrike Services' IR engagements in 2017.
The data analyst role is suited to most businesses. Able to convert business challenges into opportunities for data analysis, the analyst often bridges the gap between technical and practical. A machine learning engineer is looking to make an algorithm run quickly and in a distributed environment. Asking them to analyze data and find nuggets of relevant business insights isn’t their forte, but an ML engineer can select the appropriate algorithm and implement it within the company’s production system without introducing a bottleneck. A research data scientist is interested in investigating cutting-edge techniques or inventing new techniques. This role usually requires a Ph.D. Extreme familiarity with the underlying mathematics is a must. It’s important to note this type of individual contributor would be bored out of their mind working on everyday-business problems. The manager is the ultimate bridge between various technical roles, business stakeholders, and other leadership. Managers are frequently facilitating their teams’ best work while ensuring outcomes are mapped to business goals and prove ROI.
"There is a risk of extensive infections because [of the] big arsenal of vulnerabilities that [the malware] attempts to exploit," says Apostolos Giannakidis, security architect at Waratek, which also posted a blog on the threat. All of the vulnerabilities are easy to exploit, and actual exploits are publicly available for many of them that allow attackers to compromise vulnerable systems with little to no customization required, he says. Several of the vulnerabilities used by Lucky were disclosed just a few months ago, which means that the risk of infection is big for organizations that have not yet patched their systems, Giannakidis says. All but one of the server-side vulnerabilities that Lucky uses affect Java server apps. "The vulnerabilities that affect JBoss, Tomcat, WebLogic, Apache Struts 2, and Spring Data Commons are all remote code execution vulnerabilities that allow attackers to easily execute OS commands on any platform," he notes.
Quote for the day:
"Colors fade, temples crumble, empires fall, but wise words endure." -- Edward Thorndike