Daily Tech Digest - November 23, 2021

How to investigate service provider trust chains in the cloud

Microsoft Detection and Response Team (DART) has been assisting multiple organizations around the world in investigating the impact of NOBELIUM’s activities. While we have already engaged directly with affected customers to assist with incident response related to NOBELIUM’s recent activity, our goal with this blog is to help you answer the common and fundamental questions: How do I determine if I am a victim? If I am a victim, what did the threat actor do? How can I regain control over my environment and make it more difficult for this threat actor to regain access to our environments? ... DAP can be beneficial for both the service provider and end customer because it allows a service provider to administer a downstream tenant using their own identities and security policies. ... Azure AOBO is similar in nature to DAP, albeit the access is scoped to Azure Resource Manager (ARM) role assignments on individual Azure subscriptions and resources, as well as Azure Key Vault access policies. Azure AOBO brings similar management benefits as DAP does.


Sharded Multi-Tenant Database using SQL Server Row-Level Security

The distribution of tenants among multiple servers can be made using different methods. An intuitive way would be like "put the first 10 tenants in this server A, then only when needed provision a new server B and put the next 10 tenants there, etc". Another method would be starting with a few servers and distributing tenants evenly across those servers: Let's say you have 3 servers called A, B, C, you'd put Tenant1 into A, Tenant2 into B, Tenant3 into C, Tenant4 into A again, Tenant5 into B, etc. So basically tenants are distributed according to (TenantId)%(NumberOfServers). If you don't want to have a single catalog (which as I said before is both a bottleneck and a single point of failure) you can spread your catalog across multiple servers (exactly like the tenants' data) as long as your requests can be routed directly to the right place, which would require the sharding to be based on something like the tenant domain. ... The Security Policy TenantAccessPolicy can be used to apply filters over any number of tables. To make sure that any table with the [TenantId] column will always be filtered, we can create a DDL trigger that will apply the security predicate to any new (or modified) table. 


How Nvidia aims to demystify zero trust security

Nvidia is succeeding at its mission of demystifying zero trust in datacenters, starting with its BlueField DPU architecture. Its architecture includes secure boot with hardware root-of-trust, secure firmware updates, and Cerberus compliant with more enhancements to support the build-out of its zero-trust framework. One of Nvidia’s core strengths is its ability to extend and scale DPU core features with SDKs and related software, while scaling to support larger AI and data science workloads. Doubling down on DOCA development this year, Nvidia used GTC 2021 to announce the 1.2 release supports new authentication, attestation, isolation, and monitoring features, further strengthening Nvidia’s zero-trust platform. In addition, Nvidia says they are seeing momentum in customers and partners signing up for the DOCA early access program. ... Morpheus monitors network activity using unsupervised machine learning algorithms to understand typical behavioral patterns, as well as identity, endpoint, and location parameters across multiple networks. 


Privacy vs. Security: What’s the Difference?

The difference between data privacy and data security comes down to who and what your data is being protected from. Security can be defined as protecting data from malicious threats, while privacy is more about using data responsibly. This is why you’ll see security measures designed around protecting against data breaches no matter who the unauthorized party is that’s trying to access that data. Privacy measures are more about managing sensitive information, making sure that the people with access to it only have it with the owner’s consent and are compliant with security measures to protect sensitive data once they have it. ... Using apps with end-to-end encryption is a good way to boost the security of your data online. Messaging services like Signal are encrypted end-to-end, meaning that no one but the sender and recipient of the message can view the data. That’s because the data is encrypted (or scrambled) before being sent, then decrypted only when it hits your device. One caveat here is to make sure the service you’re using is actually end-to-end encrypted. 


Five principles for navigating the post-pandemic era

The pandemic has permanently changed what it means to be “at work”. Work is no longer a place you go, but what you do. Hybrid working, and the ability to work from anywhere, is here to stay. A huge part of this shift has been facilitated by our capacity to invent new ways of working fit for the digital age. Video conferencing, the cloud, instant messaging: it’s all part of the same narrative – how technology can facilitate new behaviours and patterns that can benefit the workforce. Network-as-a-Service (NaaS), for example, is a secure, cost-effective subscription-based model that lets businesses of all sizes consume network infrastructure on-demand and as needed. Think of it like a thermostat, where you can increase or decrease temperature to suit your needs. With a solution like NaaS, businesses can ensure their employees have the same security and network connectivity at a coffee shop or at home, as they would in the office. This fundamentally changes what it means to be safe, secure and online – and employees can work from any location.


Enterprise Readiness For The Digital Age: Digital Fluency And Digital Resiliency

Digital fluency is the missing ingredient in many digital transformation efforts. In most cases, I would argue that it’s not the technology that’s holding an employee back but the lack of digital infrastructure, Culture, leadership, and skills, which are required to thrive alongside technologies. Digital literacy in the workforce can be tricky, especially for a large organization with thousands of employees. Companies must consider each employee’s age, background, educational qualification, and current digital literacy level. Although the challenges are beyond Diversity and Inclusion (D&I), it also includes resistance to change, Fear of Missing Out (FOMO), tracking the change management, continuous process of change, etc. To be successful, businesses will need to provide the right digital tools and training to the workforce, including leadership and cultural support to build Tech intensity, i.e., an organization’s ability to adapt and integrate the latest technology to develop its unique digital capability and trust factor.


Why cybersecurity training needs a post-pandemic overhaul

Unless you’re training tech workers, there really is no reason to overwhelm your learners with industry jargon. The average employee will struggle with an overly technical language and may end up missing the point of the training entirely while trying to memorize complicated terms. Cybersecurity training materials should be written in layman’s terms. An accessible training language is the first step in making any kind of training stick. Another unfortunate side-effect of relying too heavily on industry jargon during training is that makes the average employee unable to see how this training could relate to their daily job operations. When your training materials are abstract or don’t incorporate real-life scenarios, they can be more easily disregarded as something that employees probably won’t have to deal with. However, this could not be further from the truth, especially with the rise of remote and hybrid working. In fact, according to Tanium, 90% of companies faced an increase in cyberattacks due to COVID-19, making cybersecurity training more critical than ever.


Digital transformation: 4 IT leaders share how they fight change fatigue

Digital transformation can be a never-ending journey, but there are still key milestones and inflection points. Breaking the journey down this way helps keep the momentum going and allows time for reflection to make any course corrections. While it’s important to keep looking forward, don’t forget to look back and reflect on how far the organization has come and lessons learned along the way. Additionally, maintain an external perspective on where the competition is and how customer preferences may be changing. Keeping these stakeholders at the center of your plans helps keep everyone energized and focused. Create a culture of embracing change and uncertainty. Many large complex businesses have been focused on eliminating uncertainty and risk, but the digital transformation journey is not one of certainty and zero risk. Getting comfortable with that as a way of surviving and thriving will help transformation team members realize they are not swimming upstream, but with the current.


More Than Half of Indian Loan Apps Illegal, RBI Panel Finds

Some digital lending platforms exploit users' lack of financial awareness and charge them exorbitant interest rates, Rahul Pratap Yadav, chief business officer and strategy at digital payments firm iMoneyPay and former senior vice president at Yes Bank, tells ISMG. He adds that digital lenders ensnare other customers through multilevel marketing and by offering them referral bonuses. The lack of awareness on privacy and absence of regulatory mandates protecting user identity has also contributed to the list of challenges in the digital lending space, Yadav notes. He recommends that digital lenders "have the right checks and balances in the app, and educate borrowers on financial fraud and getting into bad debt because of financial irresponsibility." The Indian digital lending space is also home to several China-based actors, according to the working group. "Anyone that had access to money and can build an app is capable of becoming a digital lender," Sasi says. Many of these unregulated digital lending apps charge 10% to 15% monthly interest, making the lending market a lucrative business for companies trying to make a quick buck, he says.


Guarding against DCSync attacks

Step one is to implement basic security and hygiene practices for Active Directory. The attack requires the threat actor to have already compromised a domain administrator account or any other account that has been granted the DCsync permissions. As such, monitoring the permissions of your domain head is critical so that you are aware of which accounts or groups have been assigned the powerful DCSync permissions. You might find that you should revoke permissions for some users who had accidentally been granted them years ago. ... The second focus for enterprises should be on preventing lateral movement when attackers breach the network. Organizations should control access according to the principle of least privilege. Using a tiering model—where no domain account would ever log onto systems not involved in managing AD itself—will clearly make it harder for adversaries to elevate their privileges. Access rights must be regularly reviewed to ensure users do not have privileges they do not need for their duties. 



Quote for the day:

"People seldom improve when they have no other model but themselves." -- Oliver Goldsmith

No comments:

Post a Comment