Daily Tech Digest - September 30, 2020

Zerologon Attacks Against Microsoft DCs Snowball in a Week

“This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials,” added Cisco Talos, in a writeup on Monday. “The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality.” ... Microsoft’s patch process for Zerologon is a phased, two-part rollout. The initial patch for the vulnerability was issued as part of the computing giant’s August 11 Patch Tuesday security updates, which addresses the security issue in Active Directory domains and trusts, as well as Windows devices. However, to fully mitigate the security issue for third-party devices, users will need to not only update their domain controllers, but also enable “enforcement mode.” They should also monitor event logs to find out which devices are making vulnerable connections and address non-compliant devices, according to Microsoft. “Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices,” it said.

Programming languages: Java founder James Gosling reveals more on Java and Android

Object-oriented programming was also an important concept for Java, according to Gosling. "One of the things you get out of object-oriented programming is a strict methodology about what are the interfaces between things and being really clear about how parts relate to each other." This helps address situations when a developer tries to "sneak around the side" and breaks code for another user.  He admits he upset some people by preventing developers from using backdoors. It was a "social engineering" thing, but says people discovered that restriction made a difference when building large, complex pieces of software with lots of contributors across multiple organizations. It gave these teams clarity about how that stuff gets structured and "saves your life". He offered a brief criticism of former Android boss Andy Rubin's handling of Java in the development of Android. Gosling in 2011 had a brief stint at Google following Oracle's acquisition of Sun. Oracle's lawsuit against Google over its use of Java APIs is still not fully settled after a decade of court hearings.  "I'm happy that [Google] did it," Gosling said, referring to its use of Java in Android. "Java had been running on cell phones for quite a few years and it worked really, really well. ..."

Prepare Your Infrastructure and Organization for DevOps With Infrastructure-as-Code

To understand infrastructure as code better, let’s look at what happened when cars became ubiquitous here in the US. Before cars, the railroad system ruled it all. Trains running on extremely well-defined, regimented schedules carried passengers and goods, connected people and places using the mesh of railroads that crisscrossed the country1. Cars democratized transport, allowing us to use our own vehicles on schedules convenient to us. To support this, a rich ecosystem of gas stations, coffee shops, restaurants and rest areas cropped up everywhere as a support system. Most importantly, the investment in the US road system paved the way (pun intended) for a network of freeways, highways and city roads that now carry a staggering 4 trillion passenger-miles of traffic each year, compared to a meager 37 billion passenger-miles carried by railroads2. We are in the midst of a similar revolution in application architectures. Applications are evolving from the railroad mode (monolithic architectures deployed and managed in centralized, regimented ways, following a waterfall model of project management), to the road system mode (micro-services architectures with highly interconnected components, deployed and managed by small teams following DevOps practices).

The lifecycle of a eureka moment in cybersecurity

The cybersecurity industry is saturated with features passing themselves off as platforms. While the accumulated value of a solution’s features may be high, its core value must resonate with customers above all else. More pitches than I wish to count have left me scratching my head over a proposed solution’s ultimate purpose. Product pitches must lead with and focus on the solution’s core value proposition, and this proposition must be able to hold its own and sell itself. Consider a browser security plugin with extensive features that include XSS mitigation, malicious website blocking, employee activity logging and download inspections. This product proposition may be built on many nice-to-have features, but, without a strong core feature, it doesn’t add up to a strong product that customers will be willing to buy. Add-on features, should they need to be discussed, ought to be mentioned as secondary or additional points of value. Solutions must be scalable in order to reach as many customers as possible and avoid price hikes with reduced margins. Moreover, it’s critical to factor in the maintenance cost and “tech debt” of solutions that are environment-dependent on account of integrations with other tools or difficult deployments.

Why data security has never been more important for healthcare organisations

The first step is to adopt a ‘zero-trust approach’, meaning that every single access request by a user should require their identity to be appropriately verified. Of course, to avoid users having to enter their username/password over and over again, this approach should be risk-weighted so that less important access requires less interventionist verification, for instance, using contextual signals like the location of the user or device characteristics. There is no longer a trade-off to be made between security and convenience – access to data and systems can be easy, simple and safe. This approach allows an organisation to always answer yes to: “Am I appropriately sure this person is who they say they are?” It is a philosophy which should be applied to internal and external users: a crucial fact given healthcare data’s risk profile. The second step for healthcare organisations is to consider eliminating the standard username/password authentication method and embrace modern, intelligent authentication. This delivers a combination of real-time context-based authentication and authorisation that seamlessly provide the appropriate level of friction based on the actions being taken by a service user.

Do You Need a Chief Data Scientist?

The specific role that a Chief Data Scientist plays depends on how the organization is applying data science, and where it falls on the build-versus-buy spectrum. Here, it’s important to differentiate between an organization that is creating a for-sale product or service that includes machine learning as a core feature, or whether it’s looking to use machine learning or data science capabilities for a product or service that’s used internally. Anodot, which creates and sells software that uses machine learning models to analyzing time-series data, is a good example of an organization building an external product with machine learning as a core feature. Cohen leads a team of data scientist in building all of the machine learning capabilities that are available in the Anodot product. On the other hand, there are organizations that are using machine learning capabilities to create a product that is used internally, or for data science services. In these types of organizations, the Chief Data Scientist, with her deep experience, is best equipped to answer these tough questions, Cohen says. “I think companies should build it themselves if they’re going to sell it, or if it’s a mission critical application,” Cohen says. “But it has to be mission critical. Otherwise, why bother?”

Should you upgrade tape drives to the latest standard?

There are three reasons that could justify upgrading your tape drive. The first would be if you have a task that uses large amounts of tape on a regular basis and upgrading to a faster tape drive would increase the speed of that process. For example, it might make sense for a movie producer using cameras that produce petabytes of data a day who want to create multiple copies and send them to several post-production companies. Copying 1PB to tape takes 22 hours at LTO-7 speeds, and LTO-9 would roughly halve that time. (The three companies behind the standard have not advertised the speed part of the spec yet, but it should be somewhere around 1200-1400 MB/s.) If the difference between 22 and 11 hours changes your business, then by all means upgrade to LTO-9. Second, LTO-9 offers a 50% capacity increase over LTO-8 and a 200% capacity increase over LTO-7. If you are currently paying by the tape for shipping your tapes or storing them in a vault, a financial argument could be made for upgrading to LTO-9 and copying all of your existing tapes to newer, bigger tapes. You might be able to significantly reduce those monthly costs if you’re using LTO-8 tapes and reduce them even more if you’re using LTO-7.

Archive as a service: What you need to know

Before the advent of cloud service providers, magnetic tapes primarily stored archive data in environmentally clean and physically secure facilities, such as those still offered by companies like Iron Mountain. As time progressed, organizations also stored archived data on rotating hard drives, fiber optic storage and solid-state disks. Of great importance to IT managers is the cost for data storage, and the good news is that advances in storage technology -- especially, as provided by cloud-based data archiving companies, as well as collocation-based archiving providers -- have helped reduce the cost for archival storage. ... Your organization should establish ground rules in its use of archive as a service for what gets stored, where storage occurs, how data is stored, the duration of storage and special data requirements such as deduplication and formatting. Perform the necessary due diligence to ensure that you can securely transmit your data to the archive location. Also, make sure the archiving provider can encrypt the data in transit and at rest, and ensure the storage location is fully secure and can minimize unauthorized access to archived data. You must carefully research key parameters -- data transmission media, data security capabilities, data integrity and data protection resources -- for all potential third-party vendors.

Three Steps To Manage Third-party Risk In Times Of Disruption

After a risk assessment has been carried out, organisations must ensure that a risk strategy is built into all service-level agreements and constantly monitor their third-party partners for new risks that may arise, including further down the supply chain. This includes monitoring the third-party’s performance metrics and internal control environment and collecting any relevant supporting documentation on an ongoing basis. In doing so, such information can inform risk strategy across the business and help companies identify issues before they arise. By monitoring these relationships on an ongoing basis, IT teams have wider visibility into the risk landscape and can minimise the likelihood of issues down the line. ... If a large number of third parties are used by the company, it can be hard for IT teams to keep track. Third-party relationships are often managed in silos across different areas of the business, each of which may have a unique way of identifying and managing them. This makes it increasingly difficult for management teams to get an accurate overview of third-party risk and performance across the business. 

Java is changing in a responsible manner

The world around us is changing. You know, the first thing that got me excited about Java was applets. We did not even know that Java would thrive on the server side; that came much later. But today we are in a very different world. Back then, we did not have big data, we didn’t have smart devices, we didn’t have functions as a service, and we didn’t have microservices. If Java didn’t adapt to the new world, it would have gone extinct. I started with Java fairly early on, and it’s absolutely phenomenal and refreshing to know that I am now programming with the next generation of programmers. The desires and needs and expectations of the next generation are not the same as those of my generation. Java has to cater to the next generation of programmers. This is a perfect storm for the language: On one hand, Java is popular today. On the other hand, Java must stay relevant to the changing business environment, changing technology, and changing user base. And we are going to make this possible. After 25 years, Java is not the same Java. It’s a different Java, and that’s what excites me about it.

Quote for the day:

"Enthusiasm is the greatest asset in the world. It beats money, power and influence." -- Henry Chester

No comments:

Post a Comment