Daily Tech Digest - November 12, 2019

SASE is more than a buzzword for BioIVT

Application security  >  Software code + data protected with a lock
Making the leap to this SASE platform was quite a change for BioIVT. How did Thomson justify the transition to his executives? “We positioned it as a platform for everything that we wanted to be able to do over the next three years with the business,” he says. “The big goal, the business strategy, is growth and acquisition. We presented this as a platform, as a base service that we just had to have in place in order to leverage things like voice over IP, Office 365, Azure, cloud-based computing services, hosting servers in the cloud. Without a common core solid foundation, we wouldn't have been able to do any of those things reliably without adding staff to do monitoring or maintenance or administrative overhead.” Further, Thomson says he positioned the Cato solution as almost a black box tool for networking where they would know what services they were getting. “We could manage it through a web interface, didn't have to worry about specific technical skillsets that we would need to bring in. Just going with Cato's SD-WAN, we dealt with all of those networking things as well as security, which just continues to become more and more important and wasn't something that we could afford to treat as just a single vendor outsource that's half paying attention to what was going on.”



US Cyber Command uploads new malware samples linked to North Korean state-backed financial heists

Analysis of malware samples revealed that one backdoor was capable of uninstalling or updating itself, suggesting that North Koreans hackers are currently trying to hide their identities from security teams. In September, US Cyber Command uploaded 11 malware samples on VirusTotal, many of them linked to Lazarus Group - an umbrella term used to describe the hacking activity carried out to advance the interests of the North Korean government. Some of those samples were found to be similar to "HOPLIGHT," a trojan used by hackers to collect information on the operating systems of victims' machines. Earlier in August, Cyber Command released two malware samples, one of which was a dynamically linked library, while another was an executable file. All these announcements come weeks after a UN report that revealed that North Korea had used 35 cyber attacks to steal $2 billion from foreign financial institutions, and spent the money on its weapons programmes. In September, the US Treasury sanctioned three hacking groups - Lazarus, Bluenoroff and Andariel - all linked with North Korea.


Top concerns for audit executives? Cyber risks and data governance


Cybercriminals are now operating highly sophisticated organizations with a variety of low-cost, readily available hacking tools. A lack of relevant skills and low cybersecurity budgets means that organizations are falling behind in their attempts to counter the growing number of cyberattacks. Without an increase in resources, organizations will continue to be unable to mitigate the threat of cyberattacks, leading to potential data breaches, loss of intellectual property and regulatory exposure. At a minimum, organizations should have foundational security measures in place, such as privileged access controls on sensitive assets and mature vulnerability identification. It is also important to evaluate not only employee cybersecurity training and access management policies, but also the organization’s overall network security mechanisms and operational technology assets. Finally, organizations should ensure their response plan for cyber-physical attacks (which target the control of an organization’s physical infrastructure) addresses all of its vulnerabilities in the event of an incident.


Low-code and no-code development platforms


Low-code tools come with libraries which provide off-the-shelf components, for instance to support the latest innovations such as blockchain and artificial intelligence. Components may be provided by the supplier, third parties or the community of users, and may be free or paid for. There are also application programming interfaces (API) that enable external integrations – calling web services, for example. APIs were often lacking in the original 4GLs. Low-code tools will vary in their support for other features many consider now central to any application building effort, such as version control and support for DevOps. Low-code tools providers also claim faster testing of applications, lower error rates and more reliable security, all of which reduce cost and are areas where 4GLs were felt to fall short. Of course, the low-code tools themselves must be paid for, whereas many 3GL compilers are open source and make use of free open source libraries.


The data science gender pay gap is shrinking—barely


No matter what strategy is used, maintaining a diverse workforce is advantageous for any organization. "Organizations benefit from successful collaboration amongst different perspectives and viewpoints," said June Severino Feldman, CMO of Intelligent Product Solutions. "The greater the gender and ethnic diversity and a company's ability to collaborate effectively, the greater the potential for successful outcomes." Across the world, improvements have been made, but we are far from equality. Here is the break down, by region, of Harnham's research. ... Regardless of what strategy the company uses to encourage a diverse team, all team members must be on-board, starting from the top, Romansky said. "We suggest a holistic approach," Romansky continued. "It has to be a mandate supported by leadership with a variety of strategies that not only attract underrepresented talent—from sourcing, selection, and conversion—but then also engage and include that talent once they're in the door." To welcome diverse talent,companies must work to eliminate bias. "Employers must also look at themselves and their biases honestly -- it feels so much easier and natural to hire the guy who looks just like you, but to routinely follow this practice shortchanges the teams' abilities to adapt, create and innovate," Feldman said.


Real-World Cybersecurity: Keeping Ourselves And Our Children Safe

cybersecurity
Our society is in a period of hyper-connectivity. This goes beyond our cellphones and laptops to include smart TVs, IoT-connected baby monitors and much more. If it’s a popular appliance, there’s at least one manufacturer out there touting an internet-connected version. This trend is creating massive personal data trails. There’s a high likelihood that almost every day, you’re handing over your valuable information without even giving it much thought – whether it’s at the grocery store, on social media channels or within your fitness tracker. Every bit of this data has value assigned to it, both for legitimate organizations and for cyber criminals who are determined to capitalize on it. Risks can include everything from gas pump and ATM card skimmers to schemes as nefarious as scamming people out of their life savings under the auspices of purchasing their dream home. The most vulnerable in the physical world – senior citizens and children – face similar risk in the cyber world. As the general population goes about daily life, convenience and ease of use are top of mind– risk isn’t usually a consideration. As a private citizen, you’re not likely to invest in heavy-duty cybersecurity tools.


Retirements pose threat to cybersecurity expertise in Congress

Retirements pose threat to cybersecurity expertise in Congress
The retirements of Republican Reps. Hurd, Mac Thornberry (Texas), and Greg Walden (Ore.) previously underlined the threat to cyber leadership in the House. Hurd, a former CIA official, is viewed as one of the major cybersecurity voices in Congress, and has co-sponsored numerous bills around this issue, including those intended to secure internet-connected devices against cyberattacks and to secure elections. Hurd also serves as the top Republican on the House Intelligence Subcommittee on Intelligence Modernization and Readiness. In announcing that he would not run for reelection in 2020, Hurd highlighted cyber and tech issues as areas that the government would still need to address, and tweeted that he hoped to "pursue opportunities outside the halls of Congress to solve problems at the nexus between technology and national security." In a separate statement, Hurd highlighted cyber and tech issues, saying, "We are in a geopolitical competition with China to have the world's most important economy. There is a global race to be the leader in artificial intelligence, because whoever dominates AI will rule the world. We face growing cyberattacks every day."


Augmented Reality to Fill Skills Gap


Augmented reality is a new tool that can make the mining and retention of that expertise much better and much more automated. Having an experienced worker perform, for example, a regular maintenance procedure on a piece of equipment and recording a voice over using augmented reality greatly enhances skill and experience transfer rom one generation of workers to the next. “Using an augmented reality headset, a new employee can follow, very specifically, the procedure that was performed by a more experienced worker, with great knowledge transfer and a fraction of the time it would otherwise take,” explains Higgins. With augmented and mixed reality-enabled headsets, workers can safely train, in a digital environment, to address problems such as – increased line speed, quality issues, breakdowns, hazardous conditions, among others. “Systems like Vuforia from PTC is aimed at helping close the skill gap by expertly capturing a procedure that is done in an industrial environment and passing that expertise on to someone else,” he said. Workers can more effectively and efficiently address challenges with more real-to-life instructions presented by veteran co-workers with tribal knowledge of the work environment in this 3D-based work instruction format.


The FBI multi-factor authentication notification that should have never been


There are two factors that can prevent account takeover, which results from the above types of attacks. Mixing true multi-factor authentication with rich context ensures that you are interacting with the intended user and that they understand what they are approving. In a SIM swap scenario, using a secondary form of authentication that isn’t outside the person’s control would be enough to thwart the FBI documented attacks. For instance, a device that is registered to that person and not their phone number. However, such a solution on its own would not be enough to prevent account takeover resulting from a session hijacking. What could help is providing more context around authorization requests and on a secondary device. I find it hard to imagine a hijacking attempt being successful if a user was prompted by their baking website to re-authenticate their session while receiving a request on their authentication device to authorize a credential change. The rich context provides the intended victim with enough information to reject the attempt by the attacker no matter how well they perform the phishing attack.


Cheap IoT satellite network gets approval

distributed / decentralized network connections across the globe
“Swarm will begin rolling out its commercial, two-way data offerings in early 2020,” Sara Spangelo, co-founder and CEO told me in a recent e-mail. The company aims to deploy 150 satellites before the end of 2020, she says. The FCC, in October, granted Part 25 approval for the startup to deploy and operate 150 non-geostationary, Low Earth Orbit (LEO) satellites, for non-voice purposes. Swarm intends to target logistics, energy and the maritime verticals with what it promises to be a cheap service. Data over satellite, while allowing connections remotely across the entire globe unlike cellular, has historically been expensive: Satellite-communications incumbent Iridium’s Short Burst Data rates can be a dollar per kilobyte, for example. Swarm doesn’t say how much its service will cost. However, in January, the company obtained $25 million in Series A funding to build what Spangelo then described as “the world’s lowest cost satellite network.” Telemetry from connected vehicles, farmland agricultural sensors, on-board shipping logistics and remote rural sensors, such as water monitoring in Africa or smart meters, plus remote-area, human-to-human texting are all applications the company believes appropriate for its network.



Quote for the day:


"Leaders are more powerful role models when they learn than when they teach." -- Rosabeth Moss Kantor


No comments:

Post a Comment