Daily Tech Digest - July 15, 2019

Most Common Security Fails 

Image title
The most common security failure is not having a process. In addition, there’s also a disconnect between the security and compliance regulations that executives focus on, one being HIPPA’s cybersecurity requirement below: 164.306(a)(1) ensure the confidentiality, integrity, and availability of all electronically protected health information the covered entity creates, receives, maintains, or transmits. The above is such a broad and generic statement and that’s just one statement out of a document that has almost a hundred statements, so it’s no longer meaningful. From the perspective of security failures —which ties into the state of security management — there’s an absolute disconnect between high-level frameworks like ISO, COBIT, and HIPAA and how you actually implement them. Many companies today feel they have a framework that they follow, but that’s not a security program; that’s a document that gives guidance, one that doesn’t even give you detail on how to implement said guidance. For example, you start out with a security framework like HIPAA and you use something like the CIS controls to implement the guidance within HIPAA, that’s the second phase.

Why is it so hard to see IoT devices on the network?

Most IoT devices are known for their low CPU, minuscule memory and unique operating system (that often needs to be studied from scratch). Many IoT devices are “protected” by factory-derived usernames and passwords that are rarely changed. Furthermore, these devices are designed to connect to the wireless network, and most won’t function at all without a connection. These challenges make discovering and managing the devices a significant challenge, especially if they aren’t being accounted for as part of IT inventory. To track their presence on the network, IT teams need dedicated visibility tools with a price point that outweighs the relative low cost of adopting the IoT devices themselves. As a result, many IoT devices are given free reign over the network and can’t be seen in regular endpoint or vulnerability scans. You may be thinking that the answer to this challenge lies with the device manufacturers. Indeed, this thinking is correct, but due to a lack of regulation on IoT security, manufacturers are only now starting to realize that a lack of security presents a barrier to implementation.

Leak Confirms Google Speakers Often Record Without Warning

Leak Confirms Google Speakers Often Record Without Warning
Responding to the VRT NWS report, Google says that building technology that can work well with the world's many different languages, accents and dialects is challenging, and notes that it devotes significant resources to refining this capability. "This enables products like the Google Assistant to understand your request, whether you're speaking English or Hindi," David Monsees, Google's product manager for search, says in a Thursday blog post. Google says it reviews about 0.2 percent of all audio snippets that it captures. The company declined to quantify how many audio snippets that represents on an annualized basis. "As part of our work to develop speech technology for more languages, we partner with language experts around the world who understand the nuances and accents of a specific language," Monsees says. "These language experts review and transcribe a small set of queries to help us better understand those languages. This is a critical part of the process of building speech technology, and is necessary to creating products like the Google Assistant."

Network visibility challenges in modern networks

Organizations should strive for an end-to-end view of the health and operational status of their networks for several reasons. For one, visibility can enhance your ability to troubleshoot problems as they arise. Everything from a downed network and interfaces to operational, yet degraded links can be more quickly identified when monitoring and baselining data flows as they pass through the local area network (LAN), wide area network (WAN) and even out to the internet edge. Another reason for network visibility is to validate performance-based configurations. Visibility can help network managers better understand how network issues affect data on a per-application basis. If specific applications are business-critical, a manager can use configuration techniques, such as quality of service and traffic policing and shaping, to optimize these important data flows. Visibility can then validate that the performance modifications are working or identify when further configuration adjustments are needed.

Billion-dollar privacy penalties put CEOs on notice

The unprecedented penalties imposed on Facebook, Marriott and British Airways should serve as a warning for company leaders, according to Tom Turner, CEO of cyber security ratings firm BitSight. “CEOs around the globe are on notice that they are accountable for cyber security performance management just the same way they are accountable for managing the business,” he said. Commenting on the FTC settlement, Nuala O’Connor, president and CEO of the Center for Democracy & Technology (CDT), said: “The record-breaking settlement highlights the importance of data stewardship in the digital age. “The FTC has put all companies on notice that they must safeguard personal information,” she said, adding that privacy regulation in the US is “broken”. While large after-the-fact fines matter, O’Connor said strong, clear rules to protect consumers are more important, and called on the US Congress to pass a comprehensive federal privacy law in 2019.

How Not to Get Eaten by Technology

Cue Jaws theme song
Effective and smart learning techniques and strategies are required. By effective learning techniques, I mean methods that will help you to identify hot markets, hot technologies, trends, learning how to focus on what matters, learning things quickly, and so on. Specialization became more valuable as the platforms are becoming more sophisticated, so being a “Jack of all trades” is no longer acceptable for many companies since mastering a particular track is a non-trivial time and effort investment. (Well, this is subject to debate!) The software engineering field is becoming a well-paid field, in particular for renowned experts since it is not easy to become a well-versed engineer. Soft skills such as negotiation skills, requirements engineering, time planning, and public speaking are timeless valuable skills that will boost career opportunities. Domain knowledge is always valuable; it's worth it to spend time understanding the business rules, domain language, and concepts on a specific business area you are working in, such as health, HR, banking, etc.

How organizations are bridging the cyber-risk management gap

How to bridge the cyber-risk management gap
OK, so there’s a cyber-risk management gap at most organizations. What are they going to do about it? The research indicates that: 34% will increase the frequency of cyber-risk communications between the CISO and executive management. Now, more communication is a good thing, but CISOs must make sure they have the right data and metrics, and this has always been a problem. I see a lot of innovation around some type of CISO cyber-risk management dashboard from vendors such as Kenna Security, RiskLens (supporting the Factor Analysis of Information Risk (FAIR) standard), and Tenable Networks. Over time, cyber-risk analytics will become a critical component of a security operations and analytics platform architecture, so look for vendors such as Exabeam, IBM, LogRhythm, MicroFocus, Splunk, and SumoLogic to make investments in this area. 32% will initiate a project for sensitive data discovery, classification, and security controls. Gaining greater control of sensitive data is always a good idea, yet many organizations never seem to get around to this.

Software Engineer Charged With Stealing Company Secrets

Xudong Yao, 57, has been indicted on nine federal counts of theft of trade secrets, according to the U.S. Attorney's Office for the Northern District of Illinois, which is overseeing the case along with the FBI. Yao, who also used the first name "William," is believed to be living in China, according to federal prosecutors. During his time with the company, Yao allegedly downloaded thousands of computer files and other documents that contained various company trade secrets and intellectual property, including data related to the system that operates the unnamed manufacturer's locomotives, according to the indictment. While Yao was taking his former employer's intellectual property, he was negotiating for a new job with a firm in China that provided automotive telematics service systems, the Justice Department alleges. Yao was born in China, but he's a naturalized U.S. citizen, according to the FBI. Theft of trade secrets is a federal crime that carriers a possible 10-year prison sentence for each count, according to the Justice Department.

IT-Based Attacks Increasingly Impacting OT Systems: Study

IT-based attacks increasingly impacting OT systems: Study - CIO&Leader
While IT systems have been standardized for many years on the TCP/IP protocol, OT systems use a wide array of protocols, many of which are specific to functions, industries, and geographies. The OPC Foundation was established in the 1990s as an attempt to move the industry toward protocol standardization. OPC’s new Unified Architecture (OPC UA) has the potential to unite protocols for all industrial systems, but that consolidation is many years away due to the prevalence of legacy protocols and the slow replacement cycle for OT systems. Cyber criminals have actively attempted to capitalize on this confusion by targeting the weak links in each protocol. These structural problems are exacerbated by the lack of standard protections and poor security hygiene practiced with many OT systems—a legacy of the years when they were air gapped. Figure 2 shows the number of unique threats targeting machines using specific ICS/SCADA protocols. Despite seasonal fluctuations and a wide variety of targets, the data is clear on one thing: IT-based attacks on OT systems are increasing.

4 steps to reaping the software benefits of continuous testing

Evolving your software development process to include continuous testing is a necessary investment so your team’s software is high quality and delivered quickly. Testing mitigates the risk of poor software quality by identifying defects before there is impact to your customers, your business operations and your revenue. Testing is good, but continuous testing is better, because you can find and fix more defects sooner to avoid the accumulation of technical debt. Software technical debt includes defects in your software not yet discovered plus the backlog of lower priority defects waiting to be fixed. Technical debt adds to the complexity and cost of maintaining your software over time. With CT, you can take action immediately to fix defects to avoid adding to your technical debt. CT decreases the time and cost to fix a defect. Research by Perfecto disclosed that a software defect fixed on the same day it was detected took only one hour, while it took eight hours to fix if detected at the end of a two-week sprint.

Quote for the day:

"Effective team leaders adjust their style to provide what the group can't provide for itself." -- Kenneth Blanchard

No comments:

Post a Comment