Daily Tech Digest - May 24, 2022

7 machine identity management best practices

When keys and certificates are static, it makes them ripe targets for theft and reuse, says Anusha Iyer, co-founder and CTO at Corsha, a cybersecurity vendor. "In fact, credential stuffing attacks have largely shifted from human username and passwords to API credentials, which are essentially proxies for machine identity today," she says. As API ecosystems are seeing immense growth, this problem is only becoming more challenging. Improper management of machine identities can lead to security vulnerabilities, agrees Prasanna Parthasarathy, senior solutions manager at the Cybersecurity Center of Excellence at Capgemini Americas. In the worst case, attackers can wipe out entire areas in the IT environment all at once, he says. "Attackers can use known API calls with a real certificate to gain access to process controls, transactions, or critical infrastructure – with devastating results." To guard against this, companies should have strict authorization of the source machines, cloud connections, application servers, handheld devices, and API interactions, Parthasarathy says. Most importantly, trusted certificates should not be static, he says.


Kalix: Build Serverless Cloud-Native Business-Crtical Applications with No Databases

Kalix aims to provide a simple developer experience for modelling and building stateful and stateless cloud-native, along with a NoOps experience, including a unified way to do system design, deployment, and operations. In addition, it provides a Reactive Runtime that delivers ultra-low latency with high resilience by continuously optimizing data access, placement, locality, and replication. When using currently available Functions-as-a-Service (FaaS) offerings, application developers need to learn and manage many different SDKs and APIs to build a single application. Each component brings its own feature set, semantics, guarantees, and limitations. In contrast, Kalix provides a unifying application layer that pulls together the necessary pieces. These include databases, message brokers, caches, service meshes, API gateways, blob storages, CDN networks, CI/CD products, etc. Kalix exposes them into one single unified programming model, abstracting the implementation details from its users. By bringing all of these components into a single package, developers don't have to set up and tune databases, maintain and provision servers, and configure clusters, as the Kalix platform handles this.


Snake Keylogger Spreads Through Malicious PDFs

The campaign—discovered by researchers at HP Wolf Security—aims to dupe victims with an attached PDF file purporting to have information about a remittance payment, according to a blog post published Friday. Instead, it loads the info-stealing malware, using some tricky evasion tactics to avoid detection. “While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems,” HP Wolf Security researcher Patrick Schlapfer wrote in the post, which opined in the headline that “PDF Malware Is Not Yet Dead.” Indeed, attackers using malicious email campaigns have preferred to package malware in Microsoft Office file formats, particularly Word and Excel, for the past decade, Schlapfer said. In the first quarter of 2022 alone, nearly half (45 percent) of malware stopped by HP Wolf Security used Office formats, according to researchers. “The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures,” he wrote. 


Paying the ransom is not a good recovery strategy

“One of the hallmarks of a strong Modern Data Protection strategy is a commitment to a clear policy that the organization will never pay the ransom, but do everything in its power to prevent, remediate and recover from attacks,” added Allan. “Despite the pervasive and inevitable threat of ransomware, the narrative that businesses are helpless in the face of it is not an accurate one. Educate employees and ensure they practice impeccable digital hygiene; regularly conduct rigorous tests of your data protection solutions and protocols; and create detailed business continuity plans that prepare key stakeholders for worst-case scenarios.” The “attack surface” for criminals is diverse. Cyber-villains most often first gained access to production environments through errant users clicking malicious links, visiting unsecure websites or engaging with phishing emails — again exposing the avoidable nature of many incidents. After having successfully gained access to the environment, there was very little difference in the infection rates between data center servers, remote office platforms and cloud-hosted servers.


Beneath the surface: Uncovering the shift in web skimming

Web skimming typically targets platforms like Magento, PrestaShop, and WordPress, which are popular choices for online shops because of their ease of use and portability with third-party plugins. Unfortunately, these platforms and plugins come with vulnerabilities that the attackers have constantly attempted to leverage. One notable web skimming campaign/group is Magecart, which gained media coverage over the years for affecting thousands of websites, including several popular brands. In one of the campaigns we’ve observed, attackers obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded inside an image file—a likely attempt to leverage PHP calls when a website’s index page is loaded. Recently, we’ve also seen compromised web applications injected with malicious JavaScript masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. Some skimming scripts even had anti-debugging mechanisms, in that they first checked if the browser’s developer tools were open. Given the scale of web skimming campaigns and the impact they have on organizations and their customers, a comprehensive security solution is needed to detect and block this threat.


Next generation PIM: how AI can revolutionise product data

An ideal AI-powered PIM solution addresses a gamut of data management needs that translate to benefits like analysing images and comparing them to product descriptions; translating texts automatically; analysing and comparing data; understanding the statistical rules; and correcting what doesn’t comply with those rules. The use of AI in PIM also helps create a contextualised, straightforward path for businesses to pursue by providing new insights accrued from various products and customer data sets across channels. With the right training, a neural network (deep learning) can be formed to sweep and analyse through metadata pertaining to different data sets for the delivery of accurate results across channels. Thus, it ultimately relieves organisations of time-consuming, repetitive tasks in managing changes or errors in their product data cycles. The role of PIM is constantly evolving; for example, in experiential retail, the PIM system needs to be implemented with AI for human context. Here, there is a change in both sides of the retailer-consumer dynamic, through product information management solutions that are expected to be more open network-oriented with AI.


IT Support for Edge Computing: Strategies to Make it Easier

IT vendors commonly assign account managers to major customer accounts for the purpose of managing relationships. If an issue arises, this account manager “point person” can summon the necessary resources and follow up to see that work and/or support is completed to a satisfactory resolution. IT can profit from the account manager approach with end users, especially if users have an abundance of edge applications and networks. An assigned business analyst who coordinates with tech support and others in IT can be the contact point person for an end-user department whenever a persistent problem occurs. This account manager can also periodically (at least quarterly) visit the user department and review technology performance and IT support. End users are more apt to communicate and cooperate with IT if they know they have someone to go to when they need to escalate an issue. ... There is no area of IT that is more qualified to give insights into how and where networks and systems are failing than technical support. This is because technical support is out there every day hearing about problems from end users, and then trouble-shooting the problems and deducing how they are happening.


How to Run Your Product Department Like a Coach

A key part of this new way of working was something that was drilled into me as an agile coach – keep teams together and give them time “to be teams”. Until this point, teams had formed and disbanded for each project, however, I knew that for us to move faster, the key would be high-performing teams and that takes time. Instead, we would try to keep people together and if needed, change their focus rather than disband them. This has easily been one of the most successful parts of a new way of working I brought to accuRx. As part of this focus, I worked closely with the CTO to establish clear leadership and accountability within each team. We agreed that every team would have a PM/TL (technical lead) pair, with both being held jointly accountable for the team being healthy and effective at delivering at pace. This “leadership in pairs” system has been crucial in allowing us to scale quickly whilst holding ourselves to account. The final piece of the jigsaw was ensuring that I was able to influence (or own) what our organisational structure would look like for Product (and Engineering).


Managed cloud services: 4 things IT leaders should know

Managed cloud services still require some internal expertise if you want to maximize your ROI – they should supercharge the IT team, not take its place. You can certainly use cloud managed services to do more with less – the constant marching order in today’s business world – and attain technological scale that wouldn’t otherwise be possible. But you should still do so in the context of your existing team and future hiring plans. “When developing a cloud-managed service strategy, you need to consider that we are now combining what used to be two separate sides of the house, infrastructure and application development,” DeCurtis notes. DeCurtis notes that skills such infrastructure as code will be essential for complex cloud services environments. If you’re already a mature DevOps shop, then you’re ahead of the game. Other teams may have some learning to do – and leadership may realize that people that can blend once-siloed job functions can be tough to find – though not as impossible as it once seemed. “Fortunately, these roles are becoming more readily available as organizations continue to adopt cloud strategies,” DeCurtis. 


IT risk management best practices for organisations

When we talk about risk, what we really mean is each organisation’s unique set of vulnerabilities. These loopholes are monitored, generically and specifically, by bad actors who would exploit them for financial or political gain, or occasionally just for clout. The first step, then, is to understand centres of risk within your organisation. These evolve with tech advances and behavioural change, for example with the transition to hybrid working brought on by the Covid-19 pandemic. “This has presented new challenges with expanded networks beyond the traditional office environment: no physical barriers or access controls, reduced VPN effectiveness, more endpoints and a greater attack surface to monitor,” says Folliss. “Remote working distorts an IT security team’s ability to manage and control the network and introduces new threats and vulnerabilities – and thus new risk.” So your analysis can’t be a one-off, rather a continuous, rigorous, and honest programme of testing and assessment that gets to the heart of an organisation’s DNA, says Pascal Geenens, director of threat intelligence at Radware.



Quote for the day:

"Confident and courageous leaders have no problems pointing out their own weaknesses and ignorance." -- Thom S. Rainer

No comments:

Post a Comment