"Although the impact of COVID-19 may explain some of the current, continued delay, quite why what may end up being over a year to resolve these matters since the ICO announced its intentions to fine may leave some wondering whether GDPR enforcement is going as quickly as it should," he says. "In addition, what was also expected to be a showcase for the first significant fines under GDPR in the U.K. may now be a letdown." But Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting, says that seeing an extended legal process isn't surprising, especially because GDPR enforcement norms have yet to be set. "The regulator, be that the ICO or any other regulator, has to ensure their case is a legally watertight as it can be before issuing a fine or a penalty. This is very important as organizations, particularly large ones with deep legal resources, will no doubt challenge any penalties imposed on them," he says. "The BA and Marriott cases are a prime example of this," says Honan, who's also a cybersecurity adviser to Europol, the EU's law enforcement intelligence agency. "We also have to take into account many of the regulators have limited resources, and their staff have to ensure they support the rights of all data subjects as best they can."
If you lead with the assumption that something somewhere and at some time will jump out and attack, you naturally prepare to defend yourself. This preparation doesn’t distract you from moving forward, but it does prove critical when you need to protect yourself. If your entire supply chain is dependent upon the ongoing support of unfriendly or at least unaligned actors and subject to pendulum swings in the political environment, you diversify the supply chain risk. By the same token, minimizing business model risk by diversifying channels is essential. Moving forward, expect every restaurant and food-service operator that is interested in surviving and thriving to develop robust online and takeout systems and internal processes. I’ve lost interest or empathy for the old-line retailers of my childhood now teetering on the brink of the abyss. They’ve had more than two decades to reset for resilience and diversify their business models, develop new channels, embrace technology, and make themselves relevant to consumers. A few have pulled this off and merit kudos. The rest will likely soon join the growing heap of old brands that will be lost to memory in a few short years.
The reason the flaw has not been rated critical is likely because attackers technically need authenticated access to VMware Cloud Director to exploit it. However, according to Citadelo's Zatko, that's not hard to achieve in practice since most cloud providers offer trial accounts to potential customers that involve access to the Cloud Director interface. In most cases there is no real identity verification either for such accounts, so attackers can gain easy access without providing their real identities. This highlights a larger issue with assessing risk based only on vulnerability scores: Severity scores don't always reflect or take into account the real-world conditions in which vulnerable systems might typically exist. Certain configuration or deployment choices can make a vulnerability much easier or harder to exploit than the advisory or the CVSS score suggests. Zatko is concerned that VMware Cloud Director users did not take the issue too seriously based on the advisory alone. More than two weeks after the patches had already been out, his company tested another Fortune 500 organization that used the product and it was still vulnerable.
PacBot, also known as Policy as Code Bot, is a compliance monitoring platform. You implement your compliance policies as code, and PacBot checks your resources and assets against those policies.You can use PacBot to automatically create compliance reports and resolve compliance violations with predefined fixes. Use the Asset Group feature to organize your resources within the PacBot UI dashboard, based on certain criteria. For example, you can group all your Amazon EC2 instances by state -- such as pending, running or shutting down -- and view them together. You can also limit the scope of a monitoring action to one asset group, for more targeted compliance. PacBot was created by T-Mobile, which continues to maintain it.It can be used with AWS and Azure. ... Pacu is a penetration testing toolkit for AWS environments. It provides a red team a series of attack modules that aim to compromise EC2 instances, test S3 bucket configurations, disrupt monitoring capabilities and more. The toolkit currently has 36 plugin modules and includes built-in attack auditing for documentation and test timeline purposes. Pacu is written in Python and maintained by Rhino Security Labs, a penetration testing provider.
Reed stated that secure access and optimal performance are a must. “The rapid adoption of SD-WAN for connecting to multi-cloud applications provides enterprises with the opportunity to rethink how access and security are managed from campus to cloud to edge,” he stated. “With 60% of organizations expecting the majority of applications to be in the cloud by 2021 and over 50% of the workforce to be operating remotely, new networking and security models such SASE offer a new way to manage the new normal.” According to Reed, the goal of SASE is to provide secure access to applications and data from on-premises data centers or cloud platforms, with access determined by identities that are defined by combinations of characteristics including individuals, groups, locations, devices, and services. Service edge refers to global points of presence (PoP), IaaS, or colocation facilities where local traffic from branches and endpoints is secured and forwarded to the appropriate destination without first traveling through corporate data centers. By delivering security and networking services together from the cloud, organizations will be able to securely connect any user or device to any application and optimize user experience, Reed stated.
Quote for the day: