This week's CISA alert notes that some hackers are using phishing emails to steal credentials from employees so they can compromise cloud resources. In many cases, the malicious messages appear to originate from overseas IP addresses and domains, but attackers can easily route the traffic through a proxy server or Tor-based network to hide its origins, CISA says. Hackers also are using brute-force attacks to guess weak passwords. "In one case, an organization did not require a virtual private network for accessing the corporate network," the CISA alert notes. "Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it - leaving the organization's network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts." In some cases, attackers are bypassing multifactor authentication protections by compromising browser cookies to collect one-time passwords and other data, CISA adds. After gaining an initial foothold in the network, some of the hackers attempted to change settings within victims' email inboxes that would forward messages to the attackers or hide certain emails from security tools.
Establish a data insights council to facilitate collaboration and build consensus. Forrester recommends that CDOs be collaborates above all else in order to establish common foundations, prioritize projects and allocate resources. "Bringing key stakeholders together in a data insights council allows them to see things differently and gives them a role in building the framework for becoming insights driven," Belissent writes. Deliver value quickly through iterative proofs of value. This is a big one. Forrester says that successful CDOs must demonstrate the value of applying data and analytics to specific business questions fast. If there aren't yet results, then the CDO should demonstrate the work in process instead. Showing results builds trust with stakeholders. One CDO quoted in the report noted that he did many "dog and pony shows" to demonstrate insights and how they provided incremental value. This takes the collaborative process one step further. The two new reports written by Belissent are titled Chief Data Officers: Accelerate Insights-Driven Business Impact in 12 Steps, and Chief Data Officers: Evolve Your Teams to Accelerate Impact from Data Insights.
Redesigning the Raspberry Pi 4's printed circuit board to fit the Pi 400 in some ways wasn't that big a deal, says Martin, but it still took him eight weeks to get the layout right. "I took a lot of the Pi 4 layout blocks – things like the processor and memory. There was a lot of effort into making that good. So instead of restarting it, I just took the entire block of all the wiring between those two parts and dropped them into my design. "The same went for the power supply circuit as well. I didn't want to redesign it, I wanted to just drop it into this board. If you look very carefully at the Pi 4 and Pi 400 circuit board, you'll see they're exactly the same layout of components in that area." Some people have commented that the Pi 400 is a left-handed computer because of the position of the USB ports on the left side of the back of the keyboard. Why put all the USB ports, add-on port, and HDMI ports on the back instead of putting some on the side? The main reason was to keep the cost of production down. After all, making a computer that costs just $70, based on a board that retails for $55, might require some trade-offs. "One of the more contentious things we've had on the keyboard is the port selection. It's been tough," he says.
Third-party tools can address these Zoom-bombing risks by providing global, firmwide transparency into collaboration platform security settings and the ability to lock down and enforce settings across all accounts. Since technical controls to protect privacy are always preferable, privacy officers and compliance teams are embracing mechanisms for configuring and monitoring security settings using these new enterprise dashboards. Finally, most of the regulators flagged the physical risks of remote working environments. To translate from security-speak, "physical risks" are the risks of whiteboards, documents, people, or other viewable content in your home office. Canada's OPC cautions "[b]e careful about where you sit during the call. Who and what is visible in the background can reveal a lot of information that you might not want to share; mirrors and other reflective objects can show people in the room that may not want to be in the video." So, while we're all clamoring for Room Rater likes, the more secure approach is to use background blurs and other techniques to secure your office. Moreover, the use of innovative supporting tools to analyze videoconferences to detect problematic logos, images, or text in office backgrounds will further strengthen your privacy posture.
Third-party supply chain compromises have been happening for years, and most organizations need to have an appropriately staffed and funded sub-team focused on vetting its third parties and contractually obligating them to improve their security as needed to match nation-state threats. We no longer live in a world in which it is tenable to throw up one’s hands and give up if there is a nation-state attacker targeting the organization. Assume there is a nation-state targeting your organization. Cost effective defenses do exist which can hold up even against nation states. If your organization is not there yet, don’t just focus on a SolarWinds update – focus at least on the broader need for supply chain security as a start with your CEO and your board. That said, a compromise of a supplier is just one type of a third-party compromise or abuse. There are many other types of third parties that can be compromised (or abused). Developers, partners, customers, or potential acquisitions are examples. Developers that abuse your services, as occurred to Facebook by Cambridge Analytica in 2016, is a form of third-party abuse. In the case of Dun and Bradstreet in 2017, one of their customers had a database of 33 million business contacts that they sold, and it was then stolen from their customer.
In the context of the Intentional Organisation, sustainability has a broader meaning than what is often intended. For me, it is the capability of the organisation to last in order to achieve its purpose. This happens by interpreting in a new way the relationship with the ecosystem of which the company is part. Distinguishing between environment and ecosystem is essential here; we are all part of the overall environment, but it is only in the ecosystem that we develop ties and relationships, and that we can indeed act upon. This means creating awareness of our entire network of stakeholders, and an understanding of the flows of meaning that support those relationships. We always assume that financial value dominates these relationships, but we know this is not the case. Why does a customer choose our product? Why does an investor buy our shares? Why does a candidate apply to one of our jobs? Why does a supplier connect to work with us? Recent years have seen the development of many marketing initiatives, in the form of branding exactly to support some of these "meanings". This is only a partial response; we need to understand this issue needs to become part of the design of our organisations.
Recent events have proven there’s financial gain in cryptocurrency, if that wasn’t clear enough already. Shortly after PayPal announced it would allow its users to buy, sell, and hold cryptocurrency and Joe Biden won the U.S. presidency, Bitcoin’s price shot up to record highs, eventually breaching the $37k mark. Other cryptocurrencies followed suit. While the latter doesn’t necessarily indicate causation, Bitcoin held its highs, and Ethereum, the second-largest cryptocurrency, boomed after the president-elect appointed cryptocurrency-savvy Gary Gensler to lead his financial policy transition team. And the icing on the cake? The U.S. Securities and Exchange Commission (SEC) announced earlier this month the launch of a new standalone office dedicated solely to blockchain and digital assets to keep up with the technological advancements. These are only the latest developments, as institutional investors put their money in crypto and digital assets exchanges sprout all over the world. Now that these novel assets are joining the big leagues, so must the security protocols entrusted to protect everyone’s money. And the security heavyweights are bringing out the big guns. In early December, cyber startup GK8 brought its high-security vault for digital assets to the Spain-based Prosegur, one of the world’s largest custodians in the field of physical security for traditional banks. The vault will power Prosegur’s new service for custody and management of digital assets, representing the first time a cash-management company enters the digital asset space and offers custody of cryptocurrency.
Proactive MRM activities, aligned with both business needs and risk-management objectives, must be in place to prevent overgrowth of the model inventory. To ensure that the inventory is rational and effective, banks need to manage the model landscape as a whole. They also need to ensure that model quality is high. Gaining transparency to direct such efforts can involve deploying model workflow and inventory tools, consistently applied model-risk-rating approaches, and regular monitoring of model performance and use. The MRM function can support the bank by fully optimizing the portfolio of models. This support goes beyond performing validation work and ensuring consistency across modeling and monitoring practices. Model development is also in need of optimization and consolidation, since development is usually fragmented across different business units. Hundreds of models now need to be adjusted, developed, and recalibrated. There is a lesson in this—the effective and efficient development of new models must result in models that are easy and inexpensive to maintain in the future. In taking stock of existing models, banks should seek to improve the quality of the best models while decommissioning poor-quality, ineffective, and outdated models.
Every outsourcing wave in history has been accompanied by an acute crisis along with an outsized opportunity. In the first wave, it was the bogey of Y2K that terrified companies into thinking the world would stop dead in its tracks when computer clocks, engineered with only the twentieth century in mind, entered the 21st century. The Y2K non-problem fired up the rockets for Indian IT by introducing the opportunity of using cheap labour to architect applications and taking care of a company's tech infrastructure remotely. Then came the global financial crisis in 2008 and glimmers of a new dawn began to appear on the horizon. This new dawn shined a light on the urgency of the incoming digital age and the need to rapidly buy into it by ditching the old labour arbitrage business for a world that necessitated more complex digital solutions using the cloud, AI, machine learning, and big data. These technologies became the new gospel. And yet, despite that evangelism, most IT services companies failed to embrace the digital with an urgency that was crucially needed. The flow of easy money from the old business still continued, albeit at a dwindling rate. Both companies and IT providers were reluctant to jump ship, and the new world of digital solutions was still too unfamiliar to be embraced wholeheartedly.
The cloud-related challenges companies face set a concerning stage for an alert published this week by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). US officials warn of "several recent successful cyberattacks against various organizations' cloud services," done by attackers exploiting poor cyber hygiene practices within a victim's cloud services configuration. These attacks frequently occurred when a target organization's employees worked remotely and used a combination of corporate and personal devices to access cloud services, CISA states. Despite the use of security tools, poor user practices paved the way for successful attacks. Attackers used a variety of techniques – phishing, brute force login attempts, and possibly a "pass the cookie" attack – to breach cloud services. CISA warns of phishing emails with links to harvest credentials for cloud service accounts. With these credentials, the attackers were able to log in and send emails from the target user's account to other accounts in the same business. In several instances, they say, attackers collected sensitive data by abusing email forwarding rules that employees had set up to send business emails to their personal accounts. In one, they modified an email rule to redirect emails to an account controlled by the attackers.
Quote for the day:
"People will not change their minds but they will make new decisions based upon new information." -- Orrin Woodward