Daily Tech Digest - June 28, 2022

What Gartner’s top cybersecurity predictions for 2022-23 reveal

Implied in the predictions is advice to focus not just on ransomware or any other currently trending type of cyberattack, but to prioritize cybersecurity investments as core to managing risks and see them as investments in the business. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements, according to Gartner‘s predictions. Doubling down with greater resilience across every threat surface is key. For example, while Gartner mentions zero-trust network access (ZTNA) in just one of the eight predictions, the core concepts of ZTNA and its benefits are reflected in most of the predictions. The predictions also note that investing in preventative controls is not enough, and that there needs to be a much higher priority placed on resilience. This is because threat surfaces grow faster than many organizations can gain visibility to and protect. By 2025, it is expected that 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s secured service edge (SSE) platform.

Don't Get Fired: How to Sell Max Cybersecurity to the C-Suite

"So some of the strategies that I use when I'm working with the C-level teams, the boards of directors, is I don't just give them a summarization or my opinion," continued O'Neill Sr. "I bring in events from insurance -- our insurance broker or our auditors -- and I say, 'Hey, can you give me a few examples of other customers where their cybersecurity insurance didn't get renewed because of some event? Or can you give me an example of a audit that failed because proper levels of protection weren't put in place?' "And I articulate those things to the CEOs and the boards of directors. Not in long-worded descriptions, but basically like, 'Hey, you know, if you look at this year, and our actual insurance broker says that they have processed claims for a billion dollars this year because of security events where malware has been involved.' And then I show them data where I say, 'Okay, of the 100 events ... about 15 percent of those companies never survived. They did not return back to business.' Okay. 

How tech companies are responding to the talent gap

The savviest organizations are taking on the onus of training talent themselves, increasingly hiring people straight out of school, according to Jean-Marc Laouchez, president of the Korn Ferry Institute. These firms are also trying to instill a culture of continuous learning and training. “Constant learning — driven by both workers and organizations — will be central to the future of work, extending far beyond the traditional definition of learning and development,” Laouchez wrote. In that light, coding bootcamps have become talent pools for organizations looking for skills-based applicants over more traditional college graduates. Graduates from coding boot camps reported a quick ROI, higher salaries, and STEM career opportunities, according to recent survey of 3,800 US graduates of university coding bootcamps by US education company 2U and Gallup. All graduates reported they saw their salaries increase by a median of $11,000 one year after graduation, with those who moved from non-STEM to STEM jobs after graduation seeing the highest income growth.

Strategies for adopting data stewardship without a CDO

If the company has already concluded that it can’t hire a full-time CDO, the next best thing is to look at individuals in the company who have some of the skills or who have backgrounds and talents that would enable them to skill up quickly. The first place to look is in the database group. The database administrator should be charged with oversight of the development of the entire corporate data architecture. When an overall data architecture is in place, you have a structure that ensures all of your various data repositories and processes can interact with each other in enterprise-wide data exchanges and ensures you have the tools, such as APIs (application programming interfaces) and ETL (extract, transform, load), to facilitate integration. This also means eradicating stand-alone data silos that might exist within the company. ... The database group can work hand in hand with the IT security group to make sure all data is properly secured and that it meets corporate governance standards, even if the data is incoming from third-party vendors.

Secure everything, not just the weakest link

When looking at the security of links between a company and its business partners, BCS volunteer Petra Wenham says: “We must include the company’s IT in that statement and the security of a partner’s IT system.” Junade Ali, a technologist with an interest in software engineering management and computer security, points to the OAuth vulnerability as an example of the risks organisations face across their supply chains when they connect or make use of third-party systems. “In the recent past, I’ve worked on changing practices across the industry when it comes to password security,” he says. “I developed the anonymity models used by Have I Been Pwned, the developer tooling needed to improve password security practices and published scientific studies used to change the industry understanding of the best practice.” What Ali learned was that the reuse of compromised credentials from one low-value website (say, a pizza restaurant) often cascades to compromising someone’s online banking. He adds: “The message here is clear – security isn’t purely within our fiefdom and we depend on others to keep our data safe.”

How APTs Are Achieving Persistence Through IoT, OT, and Network Devices

Due to the low security and visibility of these devices, they are an ideal environment for staging secondary attacks on more valuable targets inside the victim's network. To do this, an attacker will first get into the company's network through traditional approaches like phishing. Attackers can also gain access by targeting an Internet-facing IoT device such as a VoIP phone, smart printer, or camera system, or an OT system such as a building access control system. Since most of these devices use default passwords, this type of breach is often trivial to achieve. Once on the network, the attacker will move laterally and stealthily to seek out other vulnerable, unmanaged IoT, OT, and network devices. Once those devices have been compromised, the attacker just needs to establish a communication tunnel between the compromised device and the attacker's environment at a remote location. In the case of UNC3524, attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to operate on the Linux, Android, or BSD variants that are common on those devices.

Transforming advanced manufacturing through Industry 4.0

Organizational problems often involve low buy-in and a lack of concentration from leadership as a business attempts to see a digital transformation through. That hampers the effort’s potential success and long-term viability. Inadequate knowledge of digital capabilities and a lack of organizational talent can prevent broader buy-in and properly scaled transformative efforts. Technology roadblocks commonly include low support from partners in scaling deployment while facing multiple platform choices, which hinders an organization’s ability to move quickly into new territory. The transformation’s starting point can also stall when leaders aren’t convinced of their ability to increase the size and scope of the digital architecture they choose for implementation. AI companies have tried many approaches to overcome these barriers and realize improved performance through digital manufacturing transformations. An examination of advanced manufacturing lighthouses reveals two critical reasons that their transformations succeeded: first, they chose the right use cases; second, they looked for ways that those use cases could reinforce one another.

Cybersecurity and the metaverse: Identifying the weak spots

The metaverse is designed to function through the use of digital avatars that each user creates for themselves. Ostensibly, this avatar will be both unique and secure, which will allow the real human it represents to use their personally identifiable information (PII) and other sensitive information to make purchases, do work and even receive healthcare. In addition, through the avatar, the user can interact with others in the digital space, including working with colleagues in a virtual office. The concern, however, is that because the avatar is, fundamentally, the skeleton key to your private offline information, from your PII to your financial accounts, if a hacker gains access to your avatar, then they can open the door to your entire life. This holds the potential to take identity theft to an unprecedented level. Identity theft in the metaverse can also take another, and perhaps even more sinister, turn, however. If hackers gain control of your avatar, they may well engage in behaviors that can ruin your relationships and reputation, and may even put your offline safety at risk.

The promise of edge computing comes down to data

Move computing power to where the data is. Determining whether edge or cloud is optimal for a particular workflow or use case can cause analysis paralysis. Yet the truth is the models are complementary, not competing. “The general rule of thumb is that you’re far better moving compute to the data than vice versa,” said Robert Blumofe, executive vice president and chief technology officer at Akamai. “By doing so, you avoid back hauling, which hurts performance and is expensive.” Consider an e-commerce application that orchestrates actions like searching a product catalog, making recommendations based on history, or tracking and updating orders. “It makes sense to do the compute where that data is stored, in a cloud data warehouse or data lake,” Blumofe said. The edge, on the other hand, lends itself to computing on data that’s in motion — analyzing traffic flow to initiate a security action, for example. Go heavy on experimentation. It’s still early days in edge computing, and most companies are at the beginning of the maturity curve, evaluating how and where the model can have the most impact.

The surveillance-as-a-service industry needs to be brought to heel

The problem here is that surveillance technologies such as these have been commercialized. It means capabilities that historically have only been available to governments are also being used by private contractors. And that represents a risk, as highly confidential tools may be revealed, exploited, reverse-engineered and abused. As Google said: “Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. This makes the Internet less safe and threatens the trust on which users depend.” Not only this, but these private surveillance companies are enabling dangerous hacking tools to proliferate, while giving these high-tech snooping facilities available to governments — some of which seem to enjoy spying on dissidents, journalists, political opponents, and human rights workers. An even bigger danger is that Google is already tracking at least 30 spyware makers, which suggests the commercial surveillance-as-a-service industry is strong. 

Quote for the day:

"Strategy is not really a solo sport _ even if you_re the CEO." -- Max McKeown

No comments:

Post a Comment