Daily Tech Digest - March 05, 2021

Do Disaster Recovery Sites Actually Work?

Having the right resources available during a crisis is crucial. While internal IT teams perform disaster drills and claim they are able to run operation from the remote site, the fact is that new discoveries come to the fore when a disaster strikes and top management team is usually oblivious to these issues. These so-called drills are often just a farce put on for external and internal auditors, who seldom get to the core issues that may have occurred during the drill. Most auditor reports are checklists and they are happy to tick them off and present a rosy picture to the management. It is important to remember that NSE’s press release also said that it did not invoke the disaster recovery site based on management consultations. So what actually is a disaster recovery site? In layman terms it is an alternate site (which can be within the same city or another city) which is capable of running all the operations designed in a primary site. The genesis of a disaster recovery site is the business continuity policy (BCP). This document lists all IT systems that hold the data of an organisation, its dependencies with other systems, and all the elements which are necessary to run the system

We’ll never have true AI without first understanding the brain

The vast majority of AI researchers don’t really embrace the idea that the brain is important. I mean, yes, people figured out neural networks a while ago, and they’re kind of inspired by the brain. But most people aren’t trying to replicate the brain. It’s just whatever works, works. And today’s neural networks are working well enough. And most people in AI have very little understanding of neuroscience. It’s not surprising, because it’s really hard. It’s not something you just sit down and spend a couple of days reading about. Neuroscience itself has been struggling to understand what the hell’s going on in the brain. But one of the big goals of writing this book was to start a conversation about intelligence that we’re not having. I mean, my ideal dream is that every AI lab in the world reads this book and starts discussing these ideas. Do we accept them? Do we disagree? That hasn’t really been possible before. ... An AI that can detect cancer cells is great. But is that intelligence? No. In the book I use the example of robots on Mars building a habitat for humans. Try to imagine what kind of AI is required to do that. Is that possible? It’s totally possible.

Why paying off ransomware gangs is not a good idea

So what is the alternative? Insurers, especially in the US, urge their clients to quickly and quietly pay the ransom to minimise the damage of disruption. Then insurers allow the company to claim back the ransom payment on their insurance and raise their premiums for the following year. This payment is usually handled discreetly by a broker. In essence, the ransomware ecosystem functions like a protection racket, effectively supported by insurers who are set to pocket higher premiums as attacks continue. Aside from the moral objections we might have to routinely paying money to criminals, this practice causes two important practical problems. First, it encourages complacency in cybersecurity. This complacency was best exemplified when a hacked company paid a ransom, but never bothered to investigate how the hackers had breached their system. The company was promptly ransomed again, by the same group using the very same breach, just two weeks later. Second, some ransomware gangs invest their ill-gotten gains into the research and development of better cyber-tools. Many cybersecurity researchers are concerned about the increasing sophistication of the malware used by leading cybercrime groups such as REvil or Ryuk, which are both thought to be based in Russia.

Credential exposure trends: You need a better password

The data recovered by SpyCloud researchers includes more than 4.6 billion pieces of personally identifiable information (PII), including names, addresses, birthdates, job titles, social media URLs and nearly 1.3 billion phone numbers. Criminals use PII to create fake accounts or steal someone else’s identity and then apply for lines of credit, intercept tax refunds, drain bank accounts and more. With as little as one or two pieces of PII, they can compromise a person’s identity. Despite years of advice about the importance of strong passwords, people inevitably end up reusing or recycling the same credentials for multiple sites. Outdated password complexity requirements have complicated the issue by providing people with a false sense of security when they recycle a favorite password with a few simple changes, like capitalizing the first letter and adding a 1 or ! at the end. Industry standards call for organizations to convert plaintext passwords into hashes so if they are breached, criminals can’t easily access the passwords themselves. But some hashing algorithms are computationally harder to crack than others. Unfortunately, even the strongest hashing algorithm means little when users make weak or common password choices.

The office of the future is about people not places

Experts suggests the future of employment will be a hybrid mix of office- and home-working. As many as 90% of HR leaders believe employees will carry of working remotely in the post-COVID age, says tech analyst Gartner. That shift to hybrid working is something that resonates with Paul Coby, CIO at global science and chemicals company Johnson Matthey, whose guess is that people in the future will split their time between working from home and going into the office. What that means for many of us is that the traditional nine-to-five working day at the corporate HQ isn't coming back. "It seems to me that sitting in an office doing emails doesn't seem like a great use of offices or an individual's time," says Coby. Other experts agree. Researcher CCS Insights predicts more than half of all office-based employees will still work mainly remotely through 2022. IoD research, meanwhile, suggests more than half of business leaders plan on reducing their long-term use of workplaces, with more than one in five reporting use will be significantly lower. The office that many of us knew – with its command-and-control leadership styles – is probably gone forever. Get it right, and managers could change how we all work for the better. But quite how business leaders will organise and manage the hybrid workplace of the future is still very much up for debate right now.

Why global power grids are still vulnerable to cyber attacks

“Power grids are getting increasingly vulnerable because of digitalization and the use of more smart applications,” said Daine Loh, a Singapore-based power and renewables analyst at Fitch Solutions. It’s a threat highlighted in an initial probe in India that found an October blackout in Mumbai may have been caused by cyber sabotage. That outage impacted stock markets, trains and thousands of households in the nation’s financial hub. The disruptive potential of grid failures — as seen in Texas last month due to a sudden deep freeze — makes the sector a key target, particularly for state-based hostile actors. Over the past four decades, power plants and substations have been moving from manual to automatic controls, and are increasingly being connected to public and private networks for remote access, leaving them exposed to attacks. Producers and distributors have also often been reluctant to spend on protecting themselves against low-probability attacks. “India’s power system is in urgent need of proper cybersecurity systems,” said Reji Kumar Pillai, president of India Smart Grid Forum, a think-tank backed by the federal power ministry and which advises governments, regulators and utilities. 

Version 2 of Google’s Flutter toolkit adds support for desktop and web apps

Over the course of the last year or so, the team started working on what it calls Canvas Kit. This WebAssembly-based project takes the same Skia graphics engine that powers Android and Chrome itself and makes it available to web apps. “What that’s meant is that we can now essentially bypass the core HTML — sort of the document-centric parts of the web platform — and really use the app-centric parts of the web platform without leaving [behind] things like auto-complete of text or passwords and all the things that keep the web feeling very unique,” Sneath said. On the desktop, Google is announcing that Canonical is going all-in on Flutter and making it the default choice of all its future desktop and mobile apps. Microsoft, too, is expanding its support for Flutter and working with Google on Windows support for Flutter. Given Microsoft’s interest in Android, that’s maybe no huge surprise, and indeed, Microsoft today is releasing contributions to the Flutter engine to help support foldable Android devices. In total, Google notes, there are now over 15,000 packages for Flutter and Dart from companies like Amazon, Microsoft, Adobe, Huawei, Alibaba, eBay and Square.

Data Science Environments

Environment managers are critical to the concept of virtual machines. A virtual machine (VM) can be thought of as a computer inside of your computer (Inception style). As with everything mentioned here, a virtual machine is simply a method of file management. The VM is a program that isolates itself from all the other files on the computer; it may even run a different operating system. (For example, a MacOS computer might have a virtual machine running a Windows operating system.) Virtual machines are very effective when you want to recreate a programming environment on another computer, because you don’t need to know anything about that computer’s current dependencies. You can set up a virtual machine that has exactly the files visible to it that you have on your own computer’s virtual machine. For this reason, data science heavily utilizes virtual machines; they ensure reproducibility of results. Cloud-based applications are another common example of VMs. The developer counts on the fact that their VM will be isolated from any other code living on the server hosting their application.

8 mobile security threats you should take seriously

A mobile device is only as secure as the network through which it transmits data. In an era where we're all constantly connecting to networks that might not be optimally secured — be they improperly configured home networks, for remote workers, or public WiFi networks — our information frequently isn't as protected as we might assume. Just how significant of a concern is this? According to research by Wandera, in a more typical year, corporate mobile devices use WiFi almost three times as much as they use cellular data. Nearly a quarter of devices connect to open and potentially insecure WiFi networks, and 4% of devices encounter a man-in-the-middle attack — in which someone maliciously intercepts communication between two parties — within an average month. Those numbers have dipped this past year due to reduced travel and fewer physical businesses being open during COVID, but that doesn't mean the threat is gone — or that there's no need to remain ahead of the game, even with employees working mostly from home. "Rather than relying on man-in-the-middle attack detection to be reactive, we recommend organizations take a more proactive approach to securing remote connections," says Michael Covington

Risky business: 3 timeless approaches to reduce security risk in 2021

Some organizations see migrating to the cloud as a way of creating greenfield environments that can be secured more easily than the tech-debt-laden on-premises network. Yes, cloud adoption does have many security benefits. And, yes, the cloud does represent an opportunity to do things over better. With a greenfield architecture, with best practices baked neatly into it. Only, many organizations’ lack of cloud security processes and controls can quickly eat away at the cloud’s forecasted risk reduction benefits, reducing the overall value of this opportunity. You should keep in mind that AWS S3 buckets are left unsecured and publicly available all the time. Developers have been known to leave (or hardcode) private keys and tokens in the most embarrassing places. Personnel leave files unsecured and open to the public far too often. Publicly available endpoints are improperly segmented from private networks, sometimes creating an autobahn towards the on-premises network. Many organizations don’t do a good enough job of monitoring activity in the cloud or the information flow between the cloud and the on-premises network.

Quote for the day:

"It is easy to lead from the front when there are no obstacles before you, the true colors of a leader are exposed when placed under fire." -- Mark W. Boyer

No comments:

Post a Comment