CISA Warns of Surge in Attacks Targeting Cloud Services
This week's CISA alert notes that some hackers are using phishing emails to
steal credentials from employees so they can compromise cloud resources. In
many cases, the malicious messages appear to originate from overseas IP
addresses and domains, but attackers can easily route the traffic through a
proxy server or Tor-based network to hide its origins, CISA says. Hackers also
are using brute-force attacks to guess weak passwords. "In one case, an
organization did not require a virtual private network for accessing the
corporate network," the CISA alert notes. "Although their terminal server was
located within their firewall, due to remote work posture, the terminal server
was configured with port 80 open to allow remote employees to access it -
leaving the organization's network vulnerable. The threat actor attempted to
exploit this by launching brute force login attempts." In some cases,
attackers are bypassing multifactor authentication protections by compromising
browser cookies to collect one-time passwords and other data, CISA adds. After
gaining an initial foothold in the network, some of the hackers attempted to
change settings within victims' email inboxes that would forward messages to
the attackers or hide certain emails from security tools.
How CDOs Can Build Insight-Driven Organizations
Establish a data insights council to facilitate collaboration and build
consensus. Forrester recommends that CDOs be collaborates above all else in
order to establish common foundations, prioritize projects and allocate
resources. "Bringing key stakeholders together in a data insights council
allows them to see things differently and gives them a role in building the
framework for becoming insights driven," Belissent writes. Deliver value
quickly through iterative proofs of value. This is a big one. Forrester says
that successful CDOs must demonstrate the value of applying data and analytics
to specific business questions fast. If there aren't yet results, then the CDO
should demonstrate the work in process instead. Showing results builds trust
with stakeholders. One CDO quoted in the report noted that he did many "dog
and pony shows" to demonstrate insights and how they provided incremental
value. This takes the collaborative process one step further. The two new
reports written by Belissent are titled Chief Data Officers: Accelerate
Insights-Driven Business Impact in 12 Steps, and Chief Data Officers: Evolve
Your Teams to Accelerate Impact from Data Insights.
Raspberry Pi 400: The inside story of how the $70 Pi-powered PC was made
Redesigning the Raspberry Pi 4's printed circuit board to fit the Pi 400 in
some ways wasn't that big a deal, says Martin, but it still took him eight
weeks to get the layout right. "I took a lot of the Pi 4 layout blocks –
things like the processor and memory. There was a lot of effort into making
that good. So instead of restarting it, I just took the entire block of all
the wiring between those two parts and dropped them into my design. "The same
went for the power supply circuit as well. I didn't want to redesign it, I
wanted to just drop it into this board. If you look very carefully at the Pi 4
and Pi 400 circuit board, you'll see they're exactly the same layout of
components in that area." Some people have commented that the Pi 400 is a
left-handed computer because of the position of the USB ports on the left side
of the back of the keyboard. Why put all the USB ports, add-on port, and HDMI
ports on the back instead of putting some on the side? The main reason was to
keep the cost of production down. After all, making a computer that costs just
$70, based on a board that retails for $55, might require some trade-offs.
"One of the more contentious things we've had on the keyboard is the port
selection. It's been tough," he says.
How to Achieve Collaboration Tool Compliance
Third-party tools can address these Zoom-bombing risks by providing global,
firmwide transparency into collaboration platform security settings and the
ability to lock down and enforce settings across all accounts. Since technical
controls to protect privacy are always preferable, privacy officers and
compliance teams are embracing mechanisms for configuring and monitoring
security settings using these new enterprise dashboards. Finally, most of the
regulators flagged the physical risks of remote working environments. To
translate from security-speak, "physical risks" are the risks of whiteboards,
documents, people, or other viewable content in your home office. Canada's OPC
cautions "[b]e careful about where you sit during the call. Who and what is
visible in the background can reveal a lot of information that you might not
want to share; mirrors and other reflective objects can show people in the
room that may not want to be in the video." So, while we're all clamoring for
Room Rater likes, the more secure approach is to use background blurs and
other techniques to secure your office. Moreover, the use of innovative
supporting tools to analyze videoconferences to detect problematic logos,
images, or text in office backgrounds will further strengthen your privacy
posture.
Understanding third-party hacks in the aftermath of the SolarWinds breach
Third-party supply chain compromises have been happening for years, and most
organizations need to have an appropriately staffed and funded sub-team
focused on vetting its third parties and contractually obligating them to
improve their security as needed to match nation-state threats. We no longer
live in a world in which it is tenable to throw up one’s hands and give up if
there is a nation-state attacker targeting the organization. Assume there is a
nation-state targeting your organization. Cost effective defenses do exist
which can hold up even against nation states. If your organization is not
there yet, don’t just focus on a SolarWinds update – focus at least on the
broader need for supply chain security as a start with your CEO and your
board. That said, a compromise of a supplier is just one type of a third-party
compromise or abuse. There are many other types of third parties that can be
compromised (or abused). Developers, partners, customers, or potential
acquisitions are examples. Developers that abuse your services, as occurred to
Facebook by Cambridge Analytica in 2016, is a form of third-party abuse. In
the case of Dun and Bradstreet in 2017, one of their customers had a database
of 33 million business contacts that they sold, and it was then stolen from
their customer.
Building an Intentional Organisation: a Holistic Approach
In the context of the Intentional Organisation, sustainability has a broader
meaning than what is often intended. For me, it is the capability of the
organisation to last in order to achieve its purpose. This happens by
interpreting in a new way the relationship with the ecosystem of which the
company is part. Distinguishing between environment and ecosystem is essential
here; we are all part of the overall environment, but it is only in the
ecosystem that we develop ties and relationships, and that we can indeed act
upon. This means creating awareness of our entire network of stakeholders, and
an understanding of the flows of meaning that support those relationships. We
always assume that financial value dominates these relationships, but we know
this is not the case. Why does a customer choose our product? Why does an
investor buy our shares? Why does a candidate apply to one of our jobs? Why
does a supplier connect to work with us? Recent years have seen the
development of many marketing initiatives, in the form of branding exactly to
support some of these "meanings". This is only a partial response; we need to
understand this issue needs to become part of the design of our organisations.
As the SEC Launches Crypto Office, Blockchain Security Brings Out Its Big Guns
Recent events have proven there’s financial gain in cryptocurrency, if that
wasn’t clear enough already. Shortly after PayPal announced it would allow its
users to buy, sell, and hold cryptocurrency and Joe Biden won the U.S.
presidency, Bitcoin’s price shot up to record highs, eventually breaching the
$37k mark. Other cryptocurrencies followed suit. While the latter doesn’t
necessarily indicate causation, Bitcoin held its highs, and Ethereum, the
second-largest cryptocurrency, boomed after the president-elect appointed
cryptocurrency-savvy Gary Gensler to lead his financial policy transition
team. And the icing on the cake? The U.S. Securities and Exchange Commission
(SEC) announced earlier this month the launch of a new standalone office
dedicated solely to blockchain and digital assets to keep up with the
technological advancements. These are only the latest developments, as
institutional investors put their money in crypto and digital assets exchanges
sprout all over the world. Now that these novel assets are joining the big
leagues, so must the security protocols entrusted to protect everyone’s money.
And the security heavyweights are bringing out the big guns. In early
December, cyber startup GK8 brought its high-security vault for digital assets
to the Spain-based Prosegur, one of the world’s largest custodians in the
field of physical security for traditional banks. The vault will power
Prosegur’s new service for custody and management of digital assets,
representing the first time a cash-management company enters the digital asset
space and offers custody of cryptocurrency.
The next S-curve in model risk management
Proactive MRM activities, aligned with both business needs and
risk-management objectives, must be in place to prevent overgrowth of the
model inventory. To ensure that the inventory is rational and effective,
banks need to manage the model landscape as a whole. They also need to
ensure that model quality is high. Gaining transparency to direct such
efforts can involve deploying model workflow and inventory tools,
consistently applied model-risk-rating approaches, and regular monitoring of
model performance and use. The MRM function can support the bank by fully
optimizing the portfolio of models. This support goes beyond performing
validation work and ensuring consistency across modeling and monitoring
practices. Model development is also in need of optimization and
consolidation, since development is usually fragmented across different
business units. Hundreds of models now need to be adjusted, developed, and
recalibrated. There is a lesson in this—the effective and efficient
development of new models must result in models that are easy and
inexpensive to maintain in the future. In taking stock of existing models,
banks should seek to improve the quality of the best models while
decommissioning poor-quality, ineffective, and outdated models.
Pandemic ushers in the next big wave of IT outsourcing
Every outsourcing wave in history has been accompanied by an acute crisis
along with an outsized opportunity. In the first wave, it was the bogey of
Y2K that terrified companies into thinking the world would stop dead in its
tracks when computer clocks, engineered with only the twentieth century in
mind, entered the 21st century. The Y2K non-problem fired up the
rockets for Indian IT by introducing the opportunity of using cheap labour
to architect applications and taking care of a company's tech infrastructure
remotely. Then came the global financial crisis in 2008 and glimmers of
a new dawn began to appear on the horizon. This new dawn shined a light on
the urgency of the incoming digital age and the need to rapidly buy into it
by ditching the old labour arbitrage business for a world that necessitated
more complex digital solutions using the cloud, AI, machine learning, and
big data. These technologies became the new gospel. And yet, despite that
evangelism, most IT services companies failed to embrace the digital with an
urgency that was crucially needed. The flow of easy money from the old
business still continued, albeit at a dwindling rate. Both companies and IT
providers were reluctant to jump ship, and the new world of digital
solutions was still too unfamiliar to be embraced wholeheartedly.
Businesses Struggle with Cloud Availability as Attackers Take Aim
The cloud-related challenges companies face set a concerning stage for an
alert published this week by the Department of Homeland Security's
Cybersecurity and Infrastructure Security Agency (CISA). US officials warn of
"several recent successful cyberattacks against various organizations' cloud
services," done by attackers exploiting poor cyber hygiene practices within a
victim's cloud services configuration. These attacks frequently occurred
when a target organization's employees worked remotely and used a combination
of corporate and personal devices to access cloud services, CISA states.
Despite the use of security tools, poor user practices paved the way for
successful attacks. Attackers used a variety of techniques – phishing, brute
force login attempts, and possibly a "pass the cookie" attack – to breach
cloud services. CISA warns of phishing emails with links to harvest
credentials for cloud service accounts. With these credentials, the attackers
were able to log in and send emails from the target user's account to other
accounts in the same business. In several instances, they say, attackers
collected sensitive data by abusing email forwarding rules that employees had
set up to send business emails to their personal accounts. In one, they
modified an email rule to redirect emails to an account controlled by the
attackers.
Quote for the day:
"People will not change their minds but they will make new decisions based upon new information." -- Orrin Woodward
No comments:
Post a Comment