Daily Tech Digest - January 28, 2021

Engaging Employees to Accelerate Digital Banking Transformation

Many financial institutions are investing heavily in new technologies and processes to support their digital banking transformation goals. Research by the Digital Banking Report has found that banks and credit unions have increased investment in digital transformation in each of the past four years. There is no doubt that these investments are justified given the flight to digital by consumers and the game-changing technology that can support digital customer experience improvements. Unfortunately, with such a focus on data, analytics, technology and systems, most firms ignore the need to invest in employees to make sure they maximize the value of the new tools being deployed. Beyond open communication around how employees can be a part of the digital banking transformation process, it is important to invest in training the people to ensure that the digital banking transformation efforts succeed. If you don’t, it’s like buying a new car but failing to fill the gas tank (or charge the batteries). To respond to the need to reskill and upskill current employees, new models of managing learning and development have emerged. More than replicating legacy training methods, new learning officer positions have been created with the responsibility of not only creating ongoing learning opportunities, but also supporting cultural transformation.

Here’s why upskilling is crucial to drive the post-COVID recovery

We have a pressing societal problem: how to equip people with the skills they need to participate in the economy – now and in the future. As outlined in the World Economic Forum’s latest Future of Jobs Report, half of all employees around the world will need reskilling by 2025 – and that number doesn’t include all the people who are currently not in employment. If we don’t act now, this skills gap will only widen. With challenges come opportunities. Crisis events, like the pandemic, can and should shape economic thinking and represent a rare but narrow window of opportunity to reflect, reimagine, and reset priorities. So let’s seize this opportunity. We’re calling on governments, business leaders, and educators to join us in a global movement for upskilling. As you’ll see in our new report – Upskilling for Shared Prosperity – published as part of Davos Agenda Week to mark the first anniversary of the World Economic Forum’s Reskilling Revolution Platform, there’s a clear social and economic case for upskilling. If we commit to giving all people opportunities to build the skills they will need to fully participate in the future workplace, it will, in turn, lead to a prosperity dividend.

Law enforcement takes over Emotet, one of the biggest botnets

According to Europol, Emotet's infrastructure consisted of several hundred servers located across the world and serving different purposes, including making the botnet more resilient to takeover attempts. Law enforcement agencies had to work together to develop a strategy that involved gaining control of the infrastructure from the inside and redirecting victims to servers under their own control. As part of the investigation, the Dutch National Police seized data from the servers used by Emotet, including a list of stolen email credentials abused by the botnet. The agency set up a web page where users can check if their email address was among those affected. The information about infected computers that was gathered during the operation was also shared with national CERTs so the victims can be identified and contacted. "Only time will tell if the takedown will have long-term impact to Emotet operations," Jason Passwaters, COO of security firm Intel 471, tells CSO. "These groups are sophisticated and will have baked in some sort of recovery. Emotet itself does not appear to have any sort of inherent recovery mechanism, but a lot of the infected machines will have other malware installed as well, such as Qbot, Trickbot or something else. ..."

Top 5 Evolving Cybersecurity Threats to Cloud Computing in 2021

According to the Sophos Threat Report of 2020, misconfigurations can drive numerous data breaching incidents. Businesses are integrating themselves with cloud computing which guarantees the possibilities of cloud jacking emergence. Trend Marco predicts that code injection attacks can be utilized to attack cloud platforms. These attacks can be carried out through third-party libraries, from SQL injection and cross-site scripting. Attackers inject malicious code through third-party libraries and ensure that the code is downloaded and executed by individuals unintentionally. According to typical public cloud vendors, they are only responsible for the security of their infrastructure and individuals are responsible for protecting their data. ... Social engineering acquires phishing scams to steal user credentials for cloud-service tracks and on-premises attacks. Do you know that 78% of data breaching incidents that occurred during 2019 were related to phishing? This percentage increased in 2020. Innovative phishing attempts are launched through cloud applications rather than traditional emails. Phishing kits make it easier for cybercriminals to carry out illicit activities. Phishing kits require a very small amount of technical skills to carry out phishing operations.

What Is Robomorphic Computing?

A robot’s operation is a three-step process: gathering data using sensors or cameras; use mapping and localisation techniques to understand the environment; plotting the course of action. Advances in embedded vision and SLAM technology make data gathering and localisation easy. However, all these steps take a lot of time, especially when calculations are done on CPUs. Previously, the researchers have investigated the software side to develop an efficient algorithm to speed up robots. The MIT folks concluded it’s time to look beyond software. Hardware acceleration is the use of a specialised hardware unit to do certain computing tasks more efficiently. While Graphic Processing Units or GPUs have been availed for such tasks, the application is limited since the use cases are different for different robots. Hence, the researchers at MIT developed robomorphic computing to devise a customised hardware unit for individual robots. It considers the physical parameters of the robot and the tasks it needs to perform and translates it into mathematical matrices to design a specialised hardware architecture. The resulting chip design is unique to the robot and maximises its efficiency.

Digital Identity Is the New Security Control Plane

Digital identity — in the form of trusted contextual data defining who is accessing a system and how — provides this control plane. Users are already providing identity (and likely at multiple points). Systems are already consuming it — in the case of software-as-a-service (SaaS) environments, it may be one of the few configurable security controls available — but the decoupling of security from location and IP address is present in many other solutions. It can be tailored to an organization's needs and be risk-sensitive, with different methods and phases required, depending on the resource accessed. Even better, it's a control plane that can and should be implemented in a phased approach and provides a path to a zero-trust network architecture. The steps to building this are conceptually simple, and we can do extensive preparation. First, ensure even before you implement that the technologies you are investing in are identity-aware and able to make differentiated security decisions in the data plane based on that identity. This must extend to SaaS applications — one of the largest benefits of using identity as your control plane is the ability to bring these into the fold, as it were, and to match them to your security model. Second, consolidate identity to a single "source of trust" — that is, a single secure, consistent, and accurate repository for identity.

Data Privacy Day 2021: What to consider in the wake of Covid-19

The exit of the UK from the EU means that companies across the country that deal with Europe need to take extra steps to ensure correct compliance. According to Rich Vibert, CEO and co-founder of Metomic, this can be aided by considering this aspect at the start of any deployment. “This Data Privacy Day, we must confront the fact that UK companies aren’t equipped to protect their data now that we’ve Brexited,” said Vibert. “A large proportion of the responsibility for this lies with the UK government, whose failure to deliver guidance during the transition period resulted in businesses adopting a ‘wait and see’ approach. “Businesses need to take charge; proactively adapting compliance to UK-GDPR and analysing how a lack of adequacy could impact them and their customers. Only by doing so will they avoid the financial and reputational damage caused by non-compliance. “Regardless of whether the government holds the blame for the current status quo or not, leaders must see this as an opportunity to reset their approach to data protection. This means putting the privacy, compliance and security of data at the heart of their business strategy and using technology to facilitate this.

Marry IGA with ITSM to avoid the pitfalls of Identity 2.0

IAM solutions are too coarse-grained to handle such moves, in my experience. That forces admins to do IGA the hard way – taking care of onboarding, job changes, terminations, and so forth by hand. In addition to being a time- and labor-intensive hassle, manual IGA leads to numerous identity management errors. All too often, manual IGA grants access to new applications or information sources but doesn’t take away old ones, which exposes companies to security and compliance risks. Manual processes for managing patches, password resets, software updates, and more also increase risks. You don’t want an executive accessing highly confidential information from an app that doesn’t require two-factor authentication on a laptop that hasn’t been updated. But if IGA is managed from a spreadsheet, that’s exactly what happens. The employee lifecycle is only one of the IGA challenges that Identity 2.0 systems are not well-positioned to address. Take for example the expense and integration hassle of onboarding traditional IAM into manual IGA systems. The typical IGA system, like most enterprise systems, exists in a silo. Implementing manual IGA on systems such as HR, CRM, finance, and operations means writing numerous custom integrations.

What Happens If a Cloud Provider Shuts You Out?

There are other reasons, such as sudden outages or the shutdown of a cloud provider, for organizations to create plans to salvage their code and get back online quickly, Valentine says. Heikki Nousiainen, CTO at Aiven, also says the threat of getting cut off by all three major cloud providers is very low for most other businesses -- yet companies may want to maintain the ability to move code around for disaster recovery needs. “They are rare, but we sometimes see these big outages touch Google, AWS, or Azure in one or more regions,” he says. Companies with very time-sensitive online business needs, for example, may want to maintain the ability to roll over to a backup elsehwere, Nousiainen says. He recommends exploring true multi-cloud options where companies can select providers freely without being locked in, and also going with open source technology because that lets the same set of services run in different clouds. Some of these options can come at a bit of premium, though Nousiainen says the overall benefits may be worth it. “There are costs associated but typically when that investment goes into preparing infrastructure as a code it also helps for many other problems such as disaster recovery.”

Dead System Admin's Credentials Used for Ransomware Attack

In a case study published Tuesday, the researchers say the system administrator had died three months previously, but the account remained active. The researchers note that there are numerous reasons why the account could have been left open, including the possibility that the system admin had helped with the initial setup of the targeted firm's services. "Closing down the account would have stopped those services working, so keeping the account going was, we'd imagine, a convenient way of letting the dead person's work live on," according to the report. The Sophos report also notes that these types of "ghost" accounts are an increasing problem for security teams, especially if other parts of the company forget that they remain active after an employee has left or died. "In this case, the active use of the account of a recently deceased colleague ought to have raised suspicions immediately - except that the account was deliberately and knowingly kept going, making its abuse look perfectly normal and therefore unexceptionable, rather than making it seem weirdly paranormal and therefore raising an alarm," according to Sophos.

Quote for the day:

"The leadership team is the most important asset of the company and can be its worst liability." -- Med Jones

No comments:

Post a Comment