Daily Tech Digest - May 12, 2021

Web Application Security is not API Security

Broken Object Level Authorization (BOLA) is number one on the API Top 10 list. Uber’s API had this vulnerability. Thankfully, it was discovered by security researchers before malicious actors did damage (as far as we know). But it illustrates well how dangerous BOLA can be. The vulnerability leaked sensitive information, including an authentication token that could be used to perform a full account takeover. The vulnerability appears when a new driver joins the Uber platform. The browser sends the “userUuid” to the API endpoint, and the API returns data about the driver used to populate the client. ... Application security technologies such as Web Application Firewall, Next Generation Web Application Firewall, and Runtime Application Self-Protection don’t typically find the kinds of vulnerabilities we’ve discussed. These attacks present as ordinary traffic, so many defenses let them through. The future of API security lies with business logic. Application security tools have to understand the application’s context and business logic to know that non-managers shouldn’t be adding collaborators to a store or that a client shouldn’t access that user ID’s information.

Why IT should integrate information security with digital initiatives

Integrating information security with digital initiatives can also go a long way in dealing with the rise in ransomware attacks, as explained by W. Curtis Preston, chief technical evangelist at Druva. “Ransomware attacks are particularly becoming a daily occurrence, and it’s only gotten worse since the pandemic,” said Preston. “Just last year, the FBI reported a 400 percent increase in ransomware, and the rates of these attacks are not predicted to slow down anytime soon. These attacks not only cause significant financial damage, but can diminish a brand’s reputation and customer trust. “For organisations looking to remain secure while keeping pace with today’s digitised business landscape, integrating security with digital initiatives is imperative. A holistic approach to security that includes detection, resilience, and data recovery will allow organisations to mitigate cyber risk and thrive in today’s digital landscape. “Security must also be embedded into the organisation’s culture. This means prioritising security, and ensuring that security experts are involved in critical business decision making from an early stage....”

UK to fund national cyber teams in Global South

Raab said the UN’s recent unanimous agreement on principles for how states should operate in cyber space was an important stepping stone, but the UK now wanted wider agreement on how to respond to nation-states that “systematically commit malicious cyber attacks”. “We have got to win hearts and minds across the world for our positive vision of cyber space as a free space, open to all responsible users and there for the benefit of the whole world,” said Raab. “And, frankly, we’ve got to prevent China, Russia and others from filling the multilateral vacuum. That means doing a lot more to support the poorest and most vulnerable countries. “Today I am very pleased to announce that the UK government will invest £22m in new funding to support cyber capacity building in those vulnerable countries, particularly in Africa and the Indo-Pacific. “That money will go to supporting national cyber response teams, advising on mass online safety awareness campaigns, and collaborating with Interpol to set up a new cyber operations hub in Africa. The idea of that will be to improve co-operation on cyber crime investigations, and support the countries involved to mount joint operations.”

Why You Should Be Prepared to Pay a Ransom

A clear-eyed approach to the ransomware threat also makes it easier to handle the PR fallout from an attack. That's partly because you can plan ahead, and figure out how to create a crisis communications strategy that's aligned with the reality of the situation you find yourself in. Just as importantly, though, it's far easier to explain your ransom payments to customers and shareholders if you've been upfront about the risks you face, and haven't previously claimed that you'd never, ever pay to retrieve stolen data. Perhaps the most important reason to be honest about your ransomware response strategy, though, is that it gives you full visibility into the true cost of ransomware attacks, which in turn allows you to make more realistic cybersecurity ROI calculations. When you know how much a ransomware attack will cost you — including the ransom, the fines, and the potential damage to your brand — then you can make smarter and more informed decisions about how much you should be investing in cybersecurity designed to keep your data safe. It's always better, after all, to make sensible investments in security upfront and avoid getting hacked in the first place.

Prediction: The future of CX

Predictive CX platforms allow companies to better measure and manage their CX performance; they also inform and improve strategic decision making. These systems make it possible for CX leaders to create an accurate and quantified view of the factors that are propelling customer experience and business performance, and they become the foundation to link CX to value and to build clear business cases for CX improvement. They also create a holistic view of the satisfaction and value potential of every customer that can be acted upon in near real time. Leaders who have built such systems are creating substantial value through a wide array of applications across performance management, strategic planning, and real-time customer engagement. ... Prioritizing CX efforts through intentional strategic planning is another promising use case for data-driven systems that allow CX leaders to understand which operational, customer, and financial factors are creating systemic issues or opportunities over time. One US healthcare payer, for example, built a “journey lake” to determine how to improve its customer care.

Artificial intelligence revolution offers benefits and challenges

"Knowing where and how to use AI is not always easy. Innovation in business is typically incremental and rarely transformative to the extent that more vociferous AI hype suggests. Because AI and the automation it entails come at a cost, businesses will need to find the optimal level of AI that integrates the new with the old, balancing the costs of acquisition and disruption with productivity, quality and flexibility needs and expectations." "This leads us to a second caveat. AI, especially 'affordable AI," still has limited capabilities. AI relies on data utilization and exploitation. From a business perspective, this requires knowing what data the business has—and its potential value to improving products or processes. These are not givens." The authors nominate ethical dilemmas as a third risk facing the uptake of AI. They note the negative experiences "of Microsoft's racist chatbot (a poorly developed chatbot that mimicked the provocative language of its users), Amazon's AI-based recruitment tool that ignored female job applicants (and) Australia's Robodebt. Garbage in, garbage out." At the very least, these AI tools were not trained appropriately. But training isn't everything. 

Three post-pandemic predictions for the world of work

Let’s face it — many executives in senior leadership positions do not invest much time or energy in the leadership part of their role. Instead, they might simply be swept along by the busywork of endless meetings, or they are focused more on advancing their own careers and engaging in corporate politics. But the actual work of leadership is more intentional. With so many companies adopting policies that allow for remote work, the burden that is shifted onto leadership is greater. The C-suite needs to articulate the strategy in ways that provide clear signals to everyone in terms of what they should be working on and why it’s important. And with so many people working out of the office, fostering and embedding the corporate culture will have to become a priority, given that colleagues may seem more like ships passing in the night (if they meet in person at all). Leaders will have to work overtime to share the company’s values, and the stories behind them. And they’ll need to reinforce those values at every employee touch point if people are going to adopt them as they did when everyone was together.

The best CISOs think like Batman, not Superman

Why should CISOs learn to think like Batman? For starters, Batman knows that fighting crime isn’t a popularity contest and doesn’t expect thanks from the people he’s trying to protect. In the same way, CISOs should accept that if they’re popular, they’re probably doing their job wrong. People should feel a bit of angst when the CISO’s shadow falls over their desk — because the CISO should be prodding them to make uncomfortable decisions, badgering them to do better, and preventing them from settling into complacency. Your role isn’t to keep people happy — it’s to keep them safe, despite the groaning and muttering your efforts inspire. Batman also knows that you can’t fight crime by basking in the sunshine. Instead, you’ve got to know the city’s underbelly and fight crooks and gangsters on their own turf. In just the same way, CISOs need to live with a foot in the underworld. It’s only by understanding the way that hackers think and operate that you can hope to keep your organization safe, and that means knowing your way around the murkier corners of the dark web and spending plenty of time tracking the scripts, strategies, and other dirty tricks being shared by the black-hat crowd.

AI offers an array of document processing opportunities

Utilising neural networks, AI-driven document processing platforms offer a leapfrog advance over traditional recognition technologies. At the outset, a system is ‘trained’ so that a consolidated core knowledge base is created about a particular (spoken) language, form and/or document type. In AI jargon, this is known as the ‘inference’. This knowledge base then expands and grows over time as more and more information is fed into the system and it self-learns – able to recognise documents and their contents as they arrive. This is achieved given a feedback ‘re-training loop’ is used – think of it as supervised learning overseen by a human – whereby errors in the system are corrected when they arise so that the inference (and the meta data underlying it) updates, learns and is able to then deal with similar situations on its own when they next appear. It’s not dissimilar to how the human brain works, and how children learn a language. In other words, the more kids talk, make mistakes and are corrected, the better they get at speaking. The same is true with AI when applied to document analysis and processing. The inference becomes ever more knowledgeable and accurate.

The Long Road to Rebuilding Trust after 'Golden SAML'-Like Attacks

Re-establishing trust in the aftermath of a Golden SAML attack or similar attacks can be potentially disruptive. If an organization suspects that a Golden SAML attack has been used against them, the most important step is to rotate the token signing and token encryption certificates in ADFS twice in rapid succession, says Doug Bienstock, manager at FireEye Mandiant's consulting group. This action should be done in tandem with traditional eradication measures for blocking any known malware and resetting passwords across the enterprise, he says. Organizations that don't rotate — or change — the keys twice in rapid succession run the risk of a copy of the previous potentially compromised certificates being used to forge SAML tokens. CyberArk's Reiner says key rotation could cause disruption if security teams are not prudent about how it is implemented. "Rotating means revoking the old key and creating a new one," he says. "That means you have removed the trust between your own network and other cloud services." In normal situations, when an organization wants to rotate existing keys, there's a grace period during which the old key will continue to work while the new one is rolled out.

Quote for the day:

“One of the most sincere forms of respect is actually listening to what another has to say.” -- Bryant H. McGill

No comments:

Post a Comment