Web Application Security is not API Security
Broken Object Level Authorization (BOLA) is number one on the API Top 10 list.
Uber’s API had this vulnerability. Thankfully, it was discovered by security
researchers before malicious actors did damage (as far as we know). But it
illustrates well how dangerous BOLA can be. The vulnerability leaked sensitive
information, including an authentication token that could be used to perform a
full account takeover. The vulnerability appears when a new driver joins the
Uber platform. The browser sends the “userUuid” to the API endpoint, and the API
returns data about the driver used to populate the client. ... Application
security technologies such as Web Application Firewall, Next Generation Web
Application Firewall, and Runtime Application Self-Protection don’t typically
find the kinds of vulnerabilities we’ve discussed. These attacks present as
ordinary traffic, so many defenses let them through. The future of API security
lies with business logic. Application security tools have to understand the
application’s context and business logic to know that non-managers shouldn’t be
adding collaborators to a store or that a client shouldn’t access that user ID’s
information.
Why IT should integrate information security with digital initiatives
Integrating information security with digital initiatives can also go a long way
in dealing with the rise in ransomware attacks, as explained by W. Curtis
Preston, chief technical evangelist at Druva. “Ransomware attacks are
particularly becoming a daily occurrence, and it’s only gotten worse since the
pandemic,” said Preston. “Just last year, the FBI reported a 400 percent
increase in ransomware, and the rates of these attacks are not predicted to slow
down anytime soon. These attacks not only cause significant financial damage,
but can diminish a brand’s reputation and customer trust. “For organisations
looking to remain secure while keeping pace with today’s digitised business
landscape, integrating security with digital initiatives is imperative. A
holistic approach to security that includes detection, resilience, and data
recovery will allow organisations to mitigate cyber risk and thrive in today’s
digital landscape. “Security must also be embedded into the organisation’s
culture. This means prioritising security, and ensuring that security experts
are involved in critical business decision making from an early stage....”
UK to fund national cyber teams in Global South
Raab said the UN’s recent unanimous agreement on principles for how states
should operate in cyber space was an important stepping stone, but the UK now
wanted wider agreement on how to respond to nation-states that “systematically
commit malicious cyber attacks”. “We have got to win hearts and minds across
the world for our positive vision of cyber space as a free space, open to all
responsible users and there for the benefit of the whole world,” said Raab.
“And, frankly, we’ve got to prevent China, Russia and others from filling the
multilateral vacuum. That means doing a lot more to support the poorest and
most vulnerable countries. “Today I am very pleased to announce that the UK
government will invest £22m in new funding to support cyber capacity building
in those vulnerable countries, particularly in Africa and the Indo-Pacific.
“That money will go to supporting national cyber response teams, advising on
mass online safety awareness campaigns, and collaborating with Interpol to set
up a new cyber operations hub in Africa. The idea of that will be to improve
co-operation on cyber crime investigations, and support the countries involved
to mount joint operations.”
Why You Should Be Prepared to Pay a Ransom
A clear-eyed approach to the ransomware threat also makes it easier to handle the PR fallout from an attack. That's partly because you can plan ahead, and figure out how to create a crisis communications strategy that's aligned with the reality of the situation you find yourself in. Just as importantly, though, it's far easier to explain your ransom payments to customers and shareholders if you've been upfront about the risks you face, and haven't previously claimed that you'd never, ever pay to retrieve stolen data. Perhaps the most important reason to be honest about your ransomware response strategy, though, is that it gives you full visibility into the true cost of ransomware attacks, which in turn allows you to make more realistic cybersecurity ROI calculations. When you know how much a ransomware attack will cost you — including the ransom, the fines, and the potential damage to your brand — then you can make smarter and more informed decisions about how much you should be investing in cybersecurity designed to keep your data safe. It's always better, after all, to make sensible investments in security upfront and avoid getting hacked in the first place.
Prediction: The future of CX
Predictive CX platforms allow companies to better measure and manage their CX
performance; they also inform and improve strategic decision making. These
systems make it possible for CX leaders to create an accurate and quantified
view of the factors that are propelling customer experience and business
performance, and they become the foundation to link CX to value and to build
clear business cases for CX improvement. They also create a holistic view of
the satisfaction and value potential of every customer that can be acted upon
in near real time. Leaders who have built such systems are creating
substantial value through a wide array of applications across performance
management, strategic planning, and real-time customer engagement. ...
Prioritizing CX efforts through intentional strategic planning is another
promising use case for data-driven systems that allow CX leaders to understand
which operational, customer, and financial factors are creating systemic
issues or opportunities over time. One US healthcare payer, for example, built
a “journey lake” to determine how to improve its customer care.
Artificial intelligence revolution offers benefits and challenges
"Knowing where and how to use AI is not always easy. Innovation in business is
typically incremental and rarely transformative to the extent that more
vociferous AI hype suggests. Because AI and the automation it entails come at
a cost, businesses will need to find the optimal level of AI that integrates
the new with the old, balancing the costs of acquisition and disruption with
productivity, quality and flexibility needs and expectations." "This leads us
to a second caveat. AI, especially 'affordable AI," still has limited
capabilities. AI relies on data utilization and exploitation. From a business
perspective, this requires knowing what data the business has—and its
potential value to improving products or processes. These are not givens." The
authors nominate ethical dilemmas as a third risk facing the uptake of AI.
They note the negative experiences "of Microsoft's racist chatbot (a poorly
developed chatbot that mimicked the provocative language of its users),
Amazon's AI-based recruitment tool that ignored female job applicants (and)
Australia's Robodebt. Garbage in, garbage out." At the very least, these AI
tools were not trained appropriately. But training isn't everything.
Three post-pandemic predictions for the world of work
Let’s face it — many executives in senior leadership positions do not invest
much time or energy in the leadership part of their role. Instead, they might
simply be swept along by the busywork of endless meetings, or they are focused
more on advancing their own careers and engaging in corporate politics. But
the actual work of leadership is more intentional. With so many companies
adopting policies that allow for remote work, the burden that is shifted onto
leadership is greater. The C-suite needs to articulate the strategy in ways
that provide clear signals to everyone in terms of what they should be working
on and why it’s important. And with so many people working out of the office,
fostering and embedding the corporate culture will have to become a priority,
given that colleagues may seem more like ships passing in the night (if they
meet in person at all). Leaders will have to work overtime to share the
company’s values, and the stories behind them. And they’ll need to reinforce
those values at every employee touch point if people are going to adopt them
as they did when everyone was together.
The best CISOs think like Batman, not Superman
Why should CISOs learn to think like Batman? For starters, Batman knows that
fighting crime isn’t a popularity contest and doesn’t expect thanks from the
people he’s trying to protect. In the same way, CISOs should accept that if
they’re popular, they’re probably doing their job wrong. People should feel a
bit of angst when the CISO’s shadow falls over their desk — because the CISO
should be prodding them to make uncomfortable decisions, badgering them to do
better, and preventing them from settling into complacency. Your role isn’t to
keep people happy — it’s to keep them safe, despite the groaning and muttering
your efforts inspire. Batman also knows that you can’t fight crime by basking
in the sunshine. Instead, you’ve got to know the city’s underbelly and fight
crooks and gangsters on their own turf. In just the same way, CISOs need to
live with a foot in the underworld. It’s only by understanding the way that
hackers think and operate that you can hope to keep your organization safe,
and that means knowing your way around the murkier corners of the dark web and
spending plenty of time tracking the scripts, strategies, and other dirty
tricks being shared by the black-hat crowd.
AI offers an array of document processing opportunities
Utilising neural networks, AI-driven document processing platforms offer a
leapfrog advance over traditional recognition technologies. At the outset, a
system is ‘trained’ so that a consolidated core knowledge base is created
about a particular (spoken) language, form and/or document type. In AI jargon,
this is known as the ‘inference’. This knowledge base then expands and grows
over time as more and more information is fed into the system and it
self-learns – able to recognise documents and their contents as they arrive.
This is achieved given a feedback ‘re-training loop’ is used – think of it as
supervised learning overseen by a human – whereby errors in the system are
corrected when they arise so that the inference (and the meta data underlying
it) updates, learns and is able to then deal with similar situations on its
own when they next appear. It’s not dissimilar to how the human brain works,
and how children learn a language. In other words, the more kids talk, make
mistakes and are corrected, the better they get at speaking. The same is true
with AI when applied to document analysis and processing. The inference
becomes ever more knowledgeable and accurate.
The Long Road to Rebuilding Trust after 'Golden SAML'-Like Attacks
Re-establishing trust in the aftermath of a Golden SAML attack or similar attacks can be potentially disruptive. If an organization suspects that a Golden SAML attack has been used against them, the most important step is to rotate the token signing and token encryption certificates in ADFS twice in rapid succession, says Doug Bienstock, manager at FireEye Mandiant's consulting group. This action should be done in tandem with traditional eradication measures for blocking any known malware and resetting passwords across the enterprise, he says. Organizations that don't rotate — or change — the keys twice in rapid succession run the risk of a copy of the previous potentially compromised certificates being used to forge SAML tokens. CyberArk's Reiner says key rotation could cause disruption if security teams are not prudent about how it is implemented. "Rotating means revoking the old key and creating a new one," he says. "That means you have removed the trust between your own network and other cloud services." In normal situations, when an organization wants to rotate existing keys, there's a grace period during which the old key will continue to work while the new one is rolled out.
Quote for the day:
“One of the most sincere forms of
respect is actually listening to what another has to say.” --
Bryant H. McGill
No comments:
Post a Comment