Governments around the world are facing pressure to enact more comprehensive data privacy legislation, in response to increasing consumer concerns about how personal data and digital activity is being stored and used. It’s particularly notable when it comes to the cloud because a business can store its data in any number of different geographic regions regardless of where the company itself might be based – and if they’re using public cloud providers, they might not even know where their data is physically being stored. This is where questions of cloud data sovereignty – the concept that data stored in the cloud is subject to the laws and regulations of the country that has jurisdiction of the physical servers and premises being used – becomes far more relevant. The world of data protection had a big wake-up call when the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) were passed. These two landmark pieces of legislation aimed to bring some degree of consistency around the collection and use of personally identifiable information – for one of the world’s biggest trading blocs and the US’ most populous state respectively.
There are still two long-held misconceptions around passwords. The first is that adding capital letters, numbers or special characters to your one-word password will make it uncrackable. This myth is perpetuated by a lot of business accounts which have these requirements. However, the real measure of password security is length. Software can crack short passwords, no matter how "complex", in a matter of days. But the longer a password is, the more time it takes to crack. The recommendation is using a memorable phrase -- from a book or song, for example -- that doesn’t include special characters. But determining a strong, (almost certainly) uncrackable password is only the first step. If the service you’re using is hacked and criminals gain access to your password, you’re still vulnerable. That’s where two-factor authentication (2FA) and multi-factor authentication (MFA) come in. These methods require you to set up an extra verification step. When you log in, you’ll be prompted to enter a security code which will be sent to your phone or even accessed via a dedicated verification app.
Discovering and analyzing this type of framework poses unique challenges as sometimes there are multiple components that all have to be analyzed together in order to have the complete picture of how the attacks are really being carried out. Using the knowledge made public by more than 10 different organizations over the years, and some ad hoc analysis to clarify or confirm some technical details, researchers put the frameworks in perspective to see what history could teach cybersecurity professionals and, to a certain extent, even the wider public about improving air-gapped network security and our abilities to detect and mitigate future attacks. They have revisited each framework known to date, comparing them side by side in an exhaustive study that reveals several major similarities, even within those produced 15 years apart. “Unfortunately, threat groups have managed to find sneaky ways to target these systems. As air-gapping becomes more widespread, and organizations are integrating more innovative ways to protect their systems, cyber-attackers are equally honing their skills to identify new vulnerabilities to exploit,” says Alexis Dorais-Joncas
Continuous Integration (CI) and Continuous Delivery (CD) are fundamental DevOps concepts. They enable developers to manage their work and merge their changes into a central repository (or version control system), and release continuously. If you go back to the core DevOps principles, it’s all about achieving the best collaboration, whether or not you’re working on the same functions of classes, triggers, layouts, etc. Think of your worst ‘version control’ nightmares dissipating because of CI/CD. But watch out for the major misconception that this is achieved purely from ‘tooling’. After all, you can’t buy tools and simply expect them to fix your problems – if you buy a drill, the shelves don’t go up on their own! First, you must understand the process (how to level the boards, where to use wall anchors, and so on.). In our developer world, it’s important to understand the tools and the processes that come along with it. Similarly, CI/CD tools won’t fix your problems if you don’t have the right process in place (such as a branch management strategy or environment strategy).
Bank Python implementations also seem to be using their own proprietary data structure for tables, offering faster access to medium-sized datasets (while storing them more efficiently in memory). “Some implementations are lumps of C++ (not atypical of financial software) and some are thin veneers over sqlite3,” Paterson said. (His friend Salim Fadhley, a London-based developer, has even released an (all-Python) version of the table data structure called eztable.) Paterson concludes that while most programming has a code-first approach, Bank Python would be characterized as data-first. While it’s ostensibly object-oriented, “you group the data into tables and then the code lives separately.” Needless to say, Bank Python inevitably ends up getting its own internal integrated development environment (IDE) to handle all of its unique configuration quirks, and it even has its own unique version-control system for code. Paterson acknowledged the uncharitable assessment that it’s all just a grand exercise in distrusting anything that originated outside the company.
TSA also released guidance recommending that lower-risk surface transportation owners and operators voluntarily implement the same measures. "We have not witnessed a rail industry event on the level of Colonial Pipeline, but a ransomware disruption, let alone a targeted attack, is a plausible scenario," says John Dickson, vice president of the cloud security firm Coalfire, which provides services to DHS and other federal agencies. He says that without "a regulatory nudge," the rail industry, particularly the freight portion, is not likely to improve its cybersecurity hygiene on its own. Other experts say TSA could get overwhelmed in reporting what they call noise. "At a high level, the directives seem completely reasonable, but as always, the devil is in the details," says Jake Williams, a former member of the NSA's elite hacking team. "Taken at face value, railway operators would have to report every piece of commodity malware that is discovered in the environment, even if antivirus or EDR prevented that malware from ever executing."
In at least one case, the attacker compromised a local VPN account, then used it to conduct recon and gain access to internal resources in the victim CSP's environment. This allowed them to compromise internal domain accounts. In another campaign, attackers were able to access a victim's Microsoft 365 environment using a stolen session token. It was later discovered some systems had been infected with info-stealer Cryptbot before the token was generated. Other techniques include the compromise of a Microsoft Azure AD account within a CSP's tenant in one attack; in another, attackers used RDP to pivot between systems that had limited Internet access. The attackers compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands in target networks. Attackers are also making use of a new bespoke downloader dubbed Ceeloader, which decrypts a shellcode payload to execute in memory on a target device.
Ad hoc automation tends to occur independently of other efforts. Even if it solves a problem at hand, there are unclear (if any) links to how that aligns with broader goals. While that might be fine to some extent, it can also breed silos, cultural resistance, and other potential issues. Strategic automation can be both incremental and well-connected to the big picture. “While there are many questions a CIO will have along the way when deciding their automation strategy, the single most important question they should ask themselves is: ‘How will automation help my organization achieve the business outcomes we need to get to where we want to be in 4-5 years?’” Becky Trevino, VP of operations at Snow Software told us. Trevino notes that a “yes-no” matrix can help guide decision-making and prioritization, as in: “Does automating this help us achieve X?” If the answer is yes, then you do it. If the answer is no or maybe, then you should at minimum be asking deeper questions about why you’re doing it.
What does “genuinely personalised” banking look like? To answer that, we should compare these challenger banks with “business as usual” in the sector. Currently, most traditional banks still treat their online accounts as a digital version of a traditional balance statement. The odds are that your bank’s online account only provides a simple, itemised list of your ingoings and outgoings. If you want to calculate how much you spend, how you allocate that spending, set a realistic budget for next month, or estimate how much you might be able to save in an average month, it’s often the case that you simply will have to trawl through your statement yourself and do the hard calculations. Want to easily see how much goes out on your subscription services or other automatic charges versus incidental spending, and perhaps manage some of those financial commitments? The data is all there, but has often yet to be transformed into easy-to-understand interfaces that can help consumers or small business owners get their finances under control. This ends up being burdensome for people. And it’s also quite unnecessary.
Quote for the day:
"Leadership happens at every level of the organization and no one can shirk from this responsibility." -- Jerry Junkins