Daily Tech Digest - November 11, 2019

5 Potential Oversights In Enterprise Identity Management

5 Potential Oversights In Enterprise Identity Management
If you don’t take the time to consider these potential oversights in identity management, you could face some unneeded costs in your cybersecurity. First, you should seek out a singular solution for your identity and access management (as discussed above). The fewer solutions on your network, the fewer the costs. However, you need to weigh more than just your solutions’ integrations. In addition, you need to weigh the initial deployment costs—you need a solution that fits with your budget. Ideally, you should consider identity management a critical business process and budget accordingly. On the other hand, you still need a solution which fits your network—a more expensive solution may not benefit you.  Finally, your enterprise needs to also consider your IT security team. These individuals will maintain and work with it intimately, and they deserve proper compensation for their services. Moreover, the solution you select must fit with their individual skill sets so they can optimize their performance. “You can’t protect what you can’t see,” says the old cybersecurity adage. 

Data cannot be democratised without giving the consumers of that data an understanding of its trustworthiness and relevance to the business. That means having a firm grasp of the context, quality and business value of all available information sources – both inside and outside the organisation. Data governance is fundamental to enabling businesses to give their executives a holistic view of the metrics that matter and empower them to make agile, evidence-based decisions. It allows data scientists to focus on answering business questions and training AI models with confidence in the outcomes. It enables more and more workflows to be informed or transformed by putting contextual insight or predictive capability in the hands of non-technical users. And when provided within a framework of privacy, data can actively help to preserve customer trust as well as driving automation and delivering intelligent, engaging customer experiences. Amid the great DX gold rush, data needs to be perceived and treated in the same way as any other strategic asset, like people and facilities: managed with the right tools and governed by the appropriate policies and practices.

AT&T Sounds Alarm on 5G Security
Not surprisingly, the top security concerns related to 5G include the larger attack surface (44%), and the number of devices on networks (39%), followed by the need to extend security policies to new IoT devices (36%), and authenticate a greater number of devices (33%). “Most of the transitions in networking have been about faster speeds or increased capacity. 5G introduces more complex networking and is being delivered with virtualization in mind,” analysts wrote in the report. “The latter appears to be a crucial gap in the way enterprises are preparing for 5G, as enterprises will need to take advantage of virtualization to make the network nimbler and more responsive.” Many enterprises have yet to embrace that approach, according to the study. Only 29% of respondents said their organizations plan to implement security virtualization and orchestration during the next five years. Moreover, only 25% are confident that their organization’s current security policies will be effective in a 5G environment. More than half, or 53%, say some adjustments will be required and 22% anticipate a need to completely rethink their security policies.

Bitcoin and the disruption of monetary oppression

One of the tangible social impacts of Bitcoin can be witnessed in the human rights arena. As one example, Song offers an overview of the refugee crisis in Venezuela, explaining that Bitcoin is allowing those wishing to flee the country to sell their belongings and retain their money when crossing the border to Columbia. “There’s very clear evidence of this,” Song explains “because the price of Bitcoin in Columbia is actually lower than everywhere else in the world because there’s such a big supply. Four million Venezuelans have left. That’s 10% of their population. That’s a serious impact. Usually in refugee crises, it has gotten so bad that people were willing to leave everything behind. With this, they get to carry their wealth. It undermines the Maduro government to a large degree.”  The US’s market-driven monetary imperialism has led, Song argues, to a sort of global US dollar hegemony—the impact of which is that all global trade is settled in US dollars; if you’re in Kenya and want to trade with someone in neighboring Nigeria, you have to trade for the US dollar and then back to the Kenyan shilling.

Companies are also finding it hard to recruit enough skilled security personnel to properly protect their systems as there simply isn’t enough talent to go around, Vellante said. And so it may come as a surprise to learn that enterprises are actually becoming more circumspect about how much money they’re willing to spend on security relative to previous years, according to data from Enterprise Technology Research. According to Sagar Kadakia, director of research at ETR, “CIOs no longer have a blank check to spend on security.” One could be mistaken for thinking this means enterprises have thrown in the towel, so to speak, but in fact it’s more of a reflection of how fluid the cybersecurity space is right now. What’s actually happening according to ETR is that spending on cybersecurity is bifurcating, with a select few companies seeing their spending momentum and market share grow at the expense of others. Among those on the up are startups such as CrowdStrike Holdings Inc. and Okta Inc., plus more established players such as Palo Alto Networks Inc., Cisco Systems Inc. and Microsoft Corp. In contrast, the likes of Dell EMC, IBM Corp., Symantec Corp., Check Point Software Technologies Ltd. and SonicWall Inc. are all losing ground according to ETR surveys.

Breaking Into Data Science

Webinar Wrap Up: Breaking Into Data Science
Data scientists are critical in transforming massive volumes of data into action for companies. They were in high demand in the past too but limited to large enterprises and digital natives until recently. Today almost all companies worldwide are investing in data science skills. A top job seeker site, Indeed, shows a 29 percent increase in demand for data scientists year over year and an increase of 344 percent compared to five years prior. According to the LinkedIn Workforce Report, as of late 2018, every large U.S. city reported a shortage of data science skills. There is a gap of 151,717 people with data science skills, particularly acute in New York City (34,032 people), the San Francisco Bay Area (31,798 people), and Los Angeles (12,251 people). The U.S. Bureau of Labor Statistics estimates that there will be around 11.5 million jobs in data science and analytics by 2026. No doubt, data scientists need a strong educational background. If we look at the qualifications of currently working data scientists, 88 percent have a Master’s degree, and 46 percent hold a Ph.D.

IoT Has Spawned Entity-Based Risks -- Now What?

The exponential growth in IoT devices has led to more ransomware, malware and botnet attacks that are specifically targeting certain equipment. The Mirai botnet is a recent, high-profile example. Using a distributed denial of service (DDoS) attack against infrastructure provider Dyn, it disabled much of the internet on the U.S. East Coast on October 21, 2016. Mirai took over poorly secured IoT devices like security cameras, DVRs and routers by logging in using default passwords. In comparison, smaller, more targeted attacks can easily evade detection by conventional security products. ... Another approach involves using machine learning models to learn what constitutes normal behavior for an IoT device and monitor its activity to detect anomalies as they occur. This requires a mature User and Entity Behavior Analytics (UEBA) system capable of monitoring large numbers of IoT devices in real time. Machine learning provides the force multiplier needed to monitor for IoT security threats at scale. While IoT devices are not complicated equipment in and of themselves, connecting hundreds, thousands or more of them to the network creates a massive attack surface that can be difficult to protect using traditional methods.

Microservices security calls for zero-trust, data classification

"It's looking at running processes and system calls -- looking at what the server is actually doing, not what the log says is being done," Dougherty said. Omada has a small SecOps staff, so it leans on Threat Stack's security operations center (SOC) service to escalate alerts as well. Some tech futurists believe a zero-trust model will eventually mean that security is primarily the domain of applications, and that microservices security will rely on app functions that decide in real time whether to use a certain piece of infrastructure. But for now, zero-trust practitioners say sound security calls for proactive and reactive defenses at both the application and infrastructure level. FullStory is still building up its zero-trust model and microservices security practice, but at GitLab, Wang said the company used all the cybersecurity practices available, from code scanning to developer training to red teaming and bug bounties, and that full spectrum will be necessary for the foreseeable future.

Encrypted Emails on macOS Found Stored in Unprotected Way

Gendler discovered something curious in some of those .db files. “The main thing I discovered was that the snippets.db database file in the Suggestions folder stored my emails,” he wrote. “And on top of that, I found that it stored my S/MIME encrypted emails completely UNENCRYPTED.” Further, he discovered that even with Siri disabled, the OS still collects and stores data for Siri, in effect, storing encrypted emails without encryption in a database. This defeats “the purpose of utilizing and sending an encrypted email,” Gendler wrote. Typically, emails encrypted with S/MIME do so with a recipient’s public key, with a corresponding private key—also in the hands of the recipient–required to decrypt the messages, he explained. “If the private key is unavailable or removed, the message should not be readable, by anything,” Gendler wrote. “Unless the private key is compromised, you can be confident that only your intended recipient will be able to access the sensitive data in your email.” Gendler informed Apple on July 29 of the problem, which he discovered occurring on macOS Mojave 10.14 and the beta of macOS Catalina 10.15.

How to navigate cybersecurity in a 5G world

"Security virtualization could be the most crucial advancement related to 5G security, for both the provider and their enterprise customers. Enterprise IT is becoming more distributed, and through virtualization networking is following suit. Security needs to follow that trend," according to the report. Endpoint security is also a concern for 5G users. As more 5G devices are connected to the network, such as Multi-access Edge Computing (MEC) nodes, authentication and certification becomes paramount. However, only 33% of respondents said they planned to implement tighter network access controls in the next five years, and only 37% said they were creating new systems for device authentication, the report found. A zero-trust security model could help address these concerns, as it would continually check a user's presence and behavior, regardless if the user is a human or machine. Enterprises are embracing zero-trust, with 68% saying they have implemented it or are in the process, but only 33% said they have multifactor authentication (MFA) in place, the report found.

Quote for the day:

"Failure is simply the opportunity to begin again, this time more intelligently." -- Henry Ford

No comments:

Post a Comment