Why 2022 will be the year of data sovereignty cloud
Governments around the world are facing pressure to enact more comprehensive
data privacy legislation, in response to increasing consumer concerns about how
personal data and digital activity is being stored and used. It’s particularly
notable when it comes to the cloud because a business can store its data in any
number of different geographic regions regardless of where the company itself
might be based – and if they’re using public cloud providers, they might not
even know where their data is physically being stored. This is where questions
of cloud data sovereignty – the concept that data stored in the cloud is subject
to the laws and regulations of the country that has jurisdiction of the physical
servers and premises being used – becomes far more relevant. The world of data
protection had a big wake-up call when the EU’s General Data Protection
Regulation (GDPR) and the California Consumer Privacy Act (CCPA) were passed.
These two landmark pieces of legislation aimed to bring some degree of
consistency around the collection and use of personally identifiable information
– for one of the world’s biggest trading blocs and the US’ most populous state
respectively.
5 cybersecurity myths that are compromising your data
There are still two long-held misconceptions around passwords. The first is that
adding capital letters, numbers or special characters to your one-word password
will make it uncrackable. This myth is perpetuated by a lot of business accounts
which have these requirements. However, the real measure of password security is
length. Software can crack short passwords, no matter how "complex", in a matter
of days. But the longer a password is, the more time it takes to crack. The
recommendation is using a memorable phrase -- from a book or song, for example
-- that doesn’t include special characters. But determining a strong, (almost
certainly) uncrackable password is only the first step. If the service you’re
using is hacked and criminals gain access to your password, you’re still
vulnerable. That’s where two-factor authentication (2FA) and multi-factor
authentication (MFA) come in. These methods require you to set up an extra
verification step. When you log in, you’ll be prompted to enter a security code
which will be sent to your phone or even accessed via a dedicated verification
app.
How to protect air-gapped networks from malicious frameworks
Discovering and analyzing this type of framework poses unique challenges as
sometimes there are multiple components that all have to be analyzed together in
order to have the complete picture of how the attacks are really being carried
out. Using the knowledge made public by more than 10 different organizations
over the years, and some ad hoc analysis to clarify or confirm some technical
details, researchers put the frameworks in perspective to see what history could
teach cybersecurity professionals and, to a certain extent, even the wider
public about improving air-gapped network security and our abilities to detect
and mitigate future attacks. They have revisited each framework known to date,
comparing them side by side in an exhaustive study that reveals several major
similarities, even within those produced 15 years apart. “Unfortunately, threat
groups have managed to find sneaky ways to target these systems. As air-gapping
becomes more widespread, and organizations are integrating more innovative ways
to protect their systems, cyber-attackers are equally honing their skills to
identify new vulnerabilities to exploit,” says Alexis Dorais-Joncas
5 DevOps Concepts You Need to Know
Continuous Integration (CI) and Continuous Delivery (CD) are fundamental DevOps
concepts. They enable developers to manage their work and merge their changes
into a central repository (or version control system), and release continuously.
If you go back to the core DevOps principles, it’s all about achieving the best
collaboration, whether or not you’re working on the same functions of classes,
triggers, layouts, etc. Think of your worst ‘version control’ nightmares
dissipating because of CI/CD. But watch out for the major misconception that
this is achieved purely from ‘tooling’. After all, you can’t buy tools and
simply expect them to fix your problems – if you buy a drill, the shelves don’t
go up on their own! First, you must understand the process (how to level the
boards, where to use wall anchors, and so on.). In our developer world, it’s
important to understand the tools and the processes that come along with it.
Similarly, CI/CD tools won’t fix your problems if you don’t have the right
process in place (such as a branch management strategy or environment
strategy).
Are You Guilty of These 8 Network-Security Bad Practices?
With many people still working from home, the lines between work life and
personal life have become blurred. Sometimes, it’s just easier to use a personal
email account or computer for communicating with colleagues. But this can
dramatically increase the risk of a phishing attack aimed at credential
harvesting or malware distribution, which can turn your home computer or
business laptop into a vector for malware infecting many other users—including
work colleagues. Once in your company’s email server, it’s free to access
critical data assets. ... Security-conscious companies wisely limit access to
websites via the corporate network. But when working from home, all bets are
off. So, your child might borrow your company laptop to visit a gaming or
education site with weak security—or, worse yet, a malicious site that appears
legitimate — potentially delivering malicious JavaScript which gains entry to
your corporate network the next time you log in. The loosely collected
cybercrime syndicate known as Magecart has elevated malicious JavaScript to an
art, skimming credit-card information and login credentials from
websites.
All About ‘Bank Python,’ a Finance-Specific Language Fork
Bank Python implementations also seem to be using their own proprietary data
structure for tables, offering faster access to medium-sized datasets (while
storing them more efficiently in memory). “Some implementations are lumps of C++
(not atypical of financial software) and some are thin veneers over sqlite3,”
Paterson said. (His friend Salim Fadhley, a London-based developer, has even
released an (all-Python) version of the table data structure called eztable.)
Paterson concludes that while most programming has a code-first approach, Bank
Python would be characterized as data-first. While it’s ostensibly
object-oriented, “you group the data into tables and then the code lives
separately.” Needless to say, Bank Python inevitably ends up getting its own
internal integrated development environment (IDE) to handle all of its unique
configuration quirks, and it even has its own unique version-control system for
code. Paterson acknowledged the uncharitable assessment that it’s all just a
grand exercise in distrusting anything that originated outside the company.
TSA Issues New Cybersecurity Requirements for Rail Sector
TSA also released guidance recommending that lower-risk surface transportation
owners and operators voluntarily implement the same measures. "We have not
witnessed a rail industry event on the level of Colonial Pipeline, but a
ransomware disruption, let alone a targeted attack, is a plausible scenario,"
says John Dickson, vice president of the cloud security firm Coalfire, which
provides services to DHS and other federal agencies. He says that without "a
regulatory nudge," the rail industry, particularly the freight portion, is not
likely to improve its cybersecurity hygiene on its own. Other experts say TSA
could get overwhelmed in reporting what they call noise. "At a high level, the
directives seem completely reasonable, but as always, the devil is in the
details," says Jake Williams, a former member of the NSA's elite hacking team.
"Taken at face value, railway operators would have to report every piece of
commodity malware that is discovered in the environment, even if antivirus or
EDR prevented that malware from ever executing."
Russian Actors Behind SolarWinds Attack Hit Global Business & Government Targets
In at least one case, the attacker compromised a local VPN account, then used it
to conduct recon and gain access to internal resources in the victim CSP's
environment. This allowed them to compromise internal domain accounts. In
another campaign, attackers were able to access a victim's Microsoft 365
environment using a stolen session token. It was later discovered some systems
had been infected with info-stealer Cryptbot before the token was generated.
Other techniques include the compromise of a Microsoft Azure AD account within a
CSP's tenant in one attack; in another, attackers used RDP to pivot between
systems that had limited Internet access. The attackers compromised privileged
accounts and used SMB, remote WMI, remote scheduled tasks registration, and
PowerShell to execute commands in target networks. Attackers are also making use
of a new bespoke downloader dubbed Ceeloader, which decrypts a shellcode payload
to execute in memory on a target device.
Automation strategy: 6 key elements
Ad hoc automation tends to occur independently of other efforts. Even if it
solves a problem at hand, there are unclear (if any) links to how that aligns
with broader goals. While that might be fine to some extent, it can also breed
silos, cultural resistance, and other potential issues. Strategic automation can
be both incremental and well-connected to the big picture. “While there are many
questions a CIO will have along the way when deciding their automation strategy,
the single most important question they should ask themselves is: ‘How will
automation help my organization achieve the business outcomes we need to get to
where we want to be in 4-5 years?’” Becky Trevino, VP of operations at Snow
Software told us. Trevino notes that a “yes-no” matrix can help guide
decision-making and prioritization, as in: “Does automating this help us achieve
X?” If the answer is yes, then you do it. If the answer is no or maybe, then you
should at minimum be asking deeper questions about why you’re doing it.
How consumers will see banks embrace AI in 2022
What does “genuinely personalised” banking look like? To answer that, we should
compare these challenger banks with “business as usual” in the sector.
Currently, most traditional banks still treat their online accounts as a digital
version of a traditional balance statement. The odds are that your bank’s online
account only provides a simple, itemised list of your ingoings and outgoings. If
you want to calculate how much you spend, how you allocate that spending, set a
realistic budget for next month, or estimate how much you might be able to save
in an average month, it’s often the case that you simply will have to trawl
through your statement yourself and do the hard calculations. Want to easily see
how much goes out on your subscription services or other automatic charges
versus incidental spending, and perhaps manage some of those financial
commitments? The data is all there, but has often yet to be transformed into
easy-to-understand interfaces that can help consumers or small business owners
get their finances under control. This ends up being burdensome for people. And
it’s also quite unnecessary.
Quote for the day:
"Leadership happens at every level of
the organization and no one can shirk from this responsibility." --
Jerry Junkins
No comments:
Post a Comment