Zerologon Attacks Against Microsoft DCs Snowball in a Week
“This flaw allows attackers to impersonate any computer, including the domain
controller itself and gain access to domain admin credentials,” added Cisco
Talos, in a writeup on Monday. “The vulnerability stems from a flaw in a
cryptographic authentication scheme used by the Netlogon Remote Protocol which
— among other things — can be used to update computer passwords by forging an
authentication token for specific Netlogon functionality.” ... Microsoft’s
patch process for Zerologon is a phased, two-part rollout. The initial patch
for the vulnerability was issued as part of the computing giant’s August 11
Patch Tuesday security updates, which addresses the security issue in Active
Directory domains and trusts, as well as Windows devices. However, to fully
mitigate the security issue for third-party devices, users will need to not
only update their domain controllers, but also enable “enforcement mode.” They
should also monitor event logs to find out which devices are making vulnerable
connections and address non-compliant devices, according to Microsoft.
“Starting February 2021, enforcement mode will be enabled on all Windows
Domain Controllers and will block vulnerable connections from non-compliant
devices,” it said.
Programming languages: Java founder James Gosling reveals more on Java and Android
Object-oriented programming was also an important concept for Java, according
to Gosling. "One of the things you get out of object-oriented programming
is a strict methodology about what are the interfaces between things and being
really clear about how parts relate to each other." This helps address
situations when a developer tries to "sneak around the side" and breaks code
for another user. He admits he upset some people by preventing
developers from using backdoors. It was a "social engineering" thing, but says
people discovered that restriction made a difference when building large,
complex pieces of software with lots of contributors across multiple
organizations. It gave these teams clarity about how that stuff gets
structured and "saves your life". He offered a brief criticism of former
Android boss Andy Rubin's handling of Java in the development of Android.
Gosling in 2011 had a brief stint at Google following Oracle's acquisition of
Sun. Oracle's lawsuit against Google over its use of Java APIs is still not
fully settled after a decade of court hearings. "I'm happy that [Google]
did it," Gosling said, referring to its use of Java in Android. "Java had been
running on cell phones for quite a few years and it worked really, really
well. ..."
Prepare Your Infrastructure and Organization for DevOps With Infrastructure-as-Code
To understand infrastructure as code better, let’s look at what happened when
cars became ubiquitous here in the US. Before cars, the railroad system ruled
it all. Trains running on extremely well-defined, regimented schedules carried
passengers and goods, connected people and places using the mesh of railroads
that crisscrossed the country1. Cars democratized transport, allowing us to use our own vehicles on
schedules convenient to us. To support this, a rich ecosystem of gas stations,
coffee shops, restaurants and rest areas cropped up everywhere as a support
system. Most importantly, the investment in the US road system paved the way
(pun intended) for a network of freeways, highways and city roads that now
carry a staggering 4 trillion passenger-miles of traffic each year, compared
to a meager 37 billion passenger-miles carried by railroads2. We are in the midst of a similar revolution in application architectures.
Applications are evolving from the railroad mode (monolithic architectures
deployed and managed in centralized, regimented ways, following a waterfall
model of project management), to the road system mode (micro-services
architectures with highly interconnected components, deployed and managed by
small teams following DevOps practices).
The lifecycle of a eureka moment in cybersecurity
The cybersecurity industry is saturated with features passing themselves off
as platforms. While the accumulated value of a solution’s features may be
high, its core value must resonate with customers above all else. More pitches
than I wish to count have left me scratching my head over a proposed
solution’s ultimate purpose. Product pitches must lead with and focus on the
solution’s core value proposition, and this proposition must be able to hold
its own and sell itself. Consider a browser security plugin with extensive
features that include XSS mitigation, malicious website blocking, employee
activity logging and download inspections. This product proposition may be
built on many nice-to-have features, but, without a strong core feature, it
doesn’t add up to a strong product that customers will be willing to buy.
Add-on features, should they need to be discussed, ought to be mentioned as
secondary or additional points of value. Solutions must be scalable in order
to reach as many customers as possible and avoid price hikes with reduced
margins. Moreover, it’s critical to factor in the maintenance cost and “tech
debt” of solutions that are environment-dependent on account of integrations
with other tools or difficult deployments.
Why data security has never been more important for healthcare organisations
The first step is to adopt a ‘zero-trust approach’, meaning that every single
access request by a user should require their identity to be appropriately
verified. Of course, to avoid users having to enter their username/password
over and over again, this approach should be risk-weighted so that less
important access requires less interventionist verification, for instance,
using contextual signals like the location of the user or device
characteristics. There is no longer a trade-off to be made between security
and convenience – access to data and systems can be easy, simple and safe.
This approach allows an organisation to always answer yes to: “Am I
appropriately sure this person is who they say they are?” It is a philosophy
which should be applied to internal and external users: a crucial fact given
healthcare data’s risk profile. The second step for healthcare organisations
is to consider eliminating the standard username/password authentication
method and embrace modern, intelligent authentication. This delivers a
combination of real-time context-based authentication and authorisation that
seamlessly provide the appropriate level of friction based on the actions
being taken by a service user.
Do You Need a Chief Data Scientist?
The specific role that a Chief Data Scientist plays depends on how the
organization is applying data science, and where it falls on the
build-versus-buy spectrum. Here, it’s important to differentiate between an
organization that is creating a for-sale product or service that includes
machine learning as a core feature, or whether it’s looking to use machine
learning or data science capabilities for a product or service that’s used
internally. Anodot, which creates and sells software that uses machine
learning models to analyzing time-series data, is a good example of an
organization building an external product with machine learning as a core
feature. Cohen leads a team of data scientist in building all of the machine
learning capabilities that are available in the Anodot product. On the other
hand, there are organizations that are using machine learning capabilities to
create a product that is used internally, or for data science services. In
these types of organizations, the Chief Data Scientist, with her deep
experience, is best equipped to answer these tough questions, Cohen says. “I
think companies should build it themselves if they’re going to sell it, or if
it’s a mission critical application,” Cohen says. “But it has to be mission
critical. Otherwise, why bother?”
Should you upgrade tape drives to the latest standard?
There are three reasons that could justify upgrading your tape drive. The
first would be if you have a task that uses large amounts of tape on a regular
basis and upgrading to a faster tape drive would increase the speed of that
process. For example, it might make sense for a movie producer using cameras
that produce petabytes of data a day who want to create multiple copies and
send them to several post-production companies. Copying 1PB to tape takes 22
hours at LTO-7 speeds, and LTO-9 would roughly halve that time. (The three
companies behind the standard have not advertised the speed part of the spec
yet, but it should be somewhere around 1200-1400 MB/s.) If the difference
between 22 and 11 hours changes your business, then by all means upgrade to
LTO-9. Second, LTO-9 offers a 50% capacity increase over LTO-8 and a 200%
capacity increase over LTO-7. If you are currently paying by the tape for
shipping your tapes or storing them in a vault, a financial argument could be
made for upgrading to LTO-9 and copying all of your existing tapes to newer,
bigger tapes. You might be able to significantly reduce those monthly costs if
you’re using LTO-8 tapes and reduce them even more if you’re using LTO-7.
Archive as a service: What you need to know
Before the advent of cloud service providers, magnetic tapes primarily stored
archive data in environmentally clean and physically secure facilities, such
as those still offered by companies like Iron Mountain. As time progressed,
organizations also stored archived data on rotating hard drives, fiber optic
storage and solid-state disks. Of great importance to IT managers is the cost
for data storage, and the good news is that advances in storage technology --
especially, as provided by cloud-based data archiving companies, as well as
collocation-based archiving providers -- have helped reduce the cost for
archival storage. ... Your organization should establish ground rules in its
use of archive as a service for what gets stored, where storage occurs, how
data is stored, the duration of storage and special data requirements such as
deduplication and formatting. Perform the necessary due diligence to ensure
that you can securely transmit your data to the archive location. Also, make
sure the archiving provider can encrypt the data in transit and at rest, and
ensure the storage location is fully secure and can minimize unauthorized
access to archived data. You must carefully research key parameters -- data
transmission media, data security capabilities, data integrity and data
protection resources -- for all potential third-party vendors.
Three Steps To Manage Third-party Risk In Times Of Disruption
After a risk assessment has been carried out, organisations must ensure that a
risk strategy is built into all service-level agreements and constantly
monitor their third-party partners for new risks that may arise, including
further down the supply chain. This includes monitoring the third-party’s
performance metrics and internal control environment and collecting any
relevant supporting documentation on an ongoing basis. In doing so, such
information can inform risk strategy across the business and help companies
identify issues before they arise. By monitoring these relationships on an
ongoing basis, IT teams have wider visibility into the risk landscape and can
minimise the likelihood of issues down the line. ... If a large number of
third parties are used by the company, it can be hard for IT teams to keep
track. Third-party relationships are often managed in silos across different
areas of the business, each of which may have a unique way of identifying and
managing them. This makes it increasingly difficult for management teams to
get an accurate overview of third-party risk and performance across the
business.
Java is changing in a responsible manner
The world around us is changing. You know, the first thing that got me excited
about Java was applets. We did not even know that Java would thrive on the
server side; that came much later. But today we are in a very different world.
Back then, we did not have big data, we didn’t have smart devices, we didn’t
have functions as a service, and we didn’t have microservices. If Java didn’t
adapt to the new world, it would have gone extinct. I started with Java fairly
early on, and it’s absolutely phenomenal and refreshing to know that I am now
programming with the next generation of programmers. The desires and needs and
expectations of the next generation are not the same as those of my
generation. Java has to cater to the next generation of programmers. This is a
perfect storm for the language: On one hand, Java is popular today. On the
other hand, Java must stay relevant to the changing business environment,
changing technology, and changing user base. And we are going to make this
possible. After 25 years, Java is not the same Java. It’s a different Java,
and that’s what excites me about it.
Quote for the day:
"Enthusiasm is the greatest asset in the world. It beats money, power and influence." -- Henry Chester
