Daily Tech Digest - September 22, 2022

MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches

When an organization's multi-factor authentication is configured to use 'push' notifications, the employee sees a prompt on their mobile device when someone tries to log in with their credentials. These MFA push notifications ask the user to verify the login attempt and will show where the login is being attempted. An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cybersecurity posture and inflict a sense of "fatigue" regarding these MFA prompts. ... Ultimately, the targets get so overwhelmed that they accidentally click on the 'Approve' button or simply accept the MFA request to stop the deluge of notifications they were receiving on their phone. This type of social engineer technique has proven to be very successful by the Lapsus$ and Yanluowang threat actors when breaching large and well-known organizations, such as Microsoft, Cisco, and now Uber.


Forget digital transformation: data transformation is what you need

One of the most critical aspects of digital transformation is understanding how your organisation leverages data. Once you know how your organisation uses data, you can work on optimising data usage and applying analytics and insights to drive better business outcomes. If you don’t have a data strategy in place, your organisation will likely struggle with leveraging data for digital transformation efforts. Without a data strategy, it isn’t easy to know where your data is coming from, what type of data you have, and what you plan to do with it. Having a data strategy in place will help you determine where your data is coming from, what type of data you have, and what you plan to do with it, thus allowing you to create a plan for leveraging data for digital transformation efforts. If you want to leverage data for your digital transformation efforts, you should do a few things. First, you need to understand your data. This means assessing your data sources and determining what type of data you currently access. You also need to decide which data sources you need and where you can find them.


The human touch

Combining human and machine capabilities can create a sharper focus to how we view the world around us. So how do you square the two? How do you choose between humans, who excel at their understanding of context and nuance but cannot make consistent decisions, and automated processes, which are far better at being objective but don’t understand the decisions they’re making? The answer comes in recognizing that, while humans and machines are flawed, they are flawed in different ways. When it comes to combining them, you could start, naively, by thinking about the technology first, and expect human operators to fill in the gaps of what the system can’t yet do. Or (better) you can do things the other way around. The contrast between the technology-first and human-first approaches is well illustrated by the development of driverless cars in the last few years. Humans aren’t very good at paying attention for long periods of time, and driverless cars with human monitors have struggled to live up to their early promise. Meanwhile, collision avoidance systems – which largely use much of the same technology – are a good example of building a system around the human


There’s one thing that makes employees want to return to the office, says a new Microsoft report

Microsoft’s study found that 84% of people would be motivated to come into work more frequently by the promise of being able to enhance connections with coworkers. But most bosses are trying to use corporate policies to force them back, rather than using those human connections as leverage. “It turns out that in person connections with the person that [you] work with are the biggest draw,” says Spataro. “They’re bigger than tacos. The idea that I can actually connect with my coworker really, really matters.” Workers are demanding flexibility, which is how the hybrid work week has come into vogue. But Spataro says he thinks, ultimately, the workplace will be looking like the office we know from the pre-pandemic days, but with a lot more flexibility. ... Workers are demanding flexibility, which is how the hybrid work week has come into vogue. But Spataro says he thinks, ultimately, the workplace will be looking like the office we know from the pre-pandemic days, but with a lot more flexibility.


Planning the journey from SD-WAN to SASE

Today, organizations are working toward creating a more robust framework of integrated security and networking technologies referred to as Secure Access Service Edge (SASE). This is essentially a combination of SD-WAN and other networking technologies and security services, with the latter now referred to as security service edge (SSE). SSE encompasses a number of security functions to provide the requisite levels of secure connectivity with functionality such as zero-trust network access (ZTNA), data loss prevention (DLP), cloud access security brokers and more. Moving forward, network and security vendors are working to deliver tighter integration with third parties or provide a fully integrated product with both SD-WAN and SSE. Because of SD-WAN's rapid adoption to support direct internet access, organizations can leverage existing products to serve as a foundation for their SASE implementations. This would be true for both do-it-yourself as well as managed services implementations. If you are still in the planning stages for an integrated SASE deployment, you aren't alone. 


What could be the cause of growing API security incidents?

Critical infrastructure sectors such as manufacturing and energy & utilities, which typically rely on legacy systems, ranked unfavourably when measured on a number of metrics. They ranked worst on the percentage of API security incidents in the last 12 months, with 79% of manufacturing and 78% of energy & utilities respondents saying they had experienced incidents, of which they were aware. Energy & utilities companies were also the least likely to have a full inventory of APIs and know which return sensitive data, with just 19% confident about this issue. Manufacturing organizations found it most difficult to scale API security solutions, with just 30% saying they found it easy. Furthermore, real-time testing was at its lowest in energy & utilities (7%), whilst manufacturing, and energy & utilities were most likely to conduct API security testing less frequently than once per month, with 20% and 21% doing this, respectively. The relative lack of testing in these critical infrastructure sectors correlates with the number of API security incidents they have suffered in the last 12 months. 


Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards

The campaign is not the first time that threat actors have abused LinkedIn's Smart Links feature — or Slinks, as some call it — in a phishing operation. But it marks one of the rare instances where emails containing doctored LinkedIn Slinks have ended up in user inboxes, says Brad Haas, senior intelligence analyst at Cofense. The phishing protection services vendor is currently tracking the ongoing Slovakian campaign and this week issued a report on its analysis of the threat so far. LinkedIn's Smart Links is a marketing feature that lets users who are subscribed to its Premium service direct others to content the sender want them to see. The feature allows users to use a single LinkedIn URL to point users to multiple marketing collateral — such as documents, Excel files, PDFs, images, and webpages. Recipients receive a LinkedIn link that, when clicked, redirects them to the content behind it. LinkedIn Slinks allows users to get relatively detailed information on who might viewed the content, how they might have interacted with it, and other details.


Clive Humby – data can predict nearly everything about running a business

You really need to think about three things: first, you need to think about what do I really need? In the grocery world, the past four weeks’ transactions compared to the year-on-year sales are much more insightful than having everything because you want to know what’s changed. How do sales compare from this Easter to last Easter, this Christmas to last Christmas? Understanding relative movement in data. The second thing is to reduces the level of granularity in your data into what I call “baskets of interest”. I am much more interested in the mix of groceries you buy than individual items. And the third thing, while you might have a warehouse of data with everything in probably every decision you make will need of less than half a per cent for the data. Not trying to analyse all of your data, all the time. If you are looking for trends you don’t need to look at all of the data, just look at 10 per cent of the data. People tend to over-engineer because the technology companies have told them to.


Data science engineer: A day in the life

Between communication, data engineering, meaningful result reporting, and more, data scientists have many goals. At Xactly, my daily goal is to illustrate to the rest of the organization and our customers the value of our data. Strategy and evangelization are a huge priority. It’s important to illustrate how data science is useful in other departments like engineering, marketing, customer experience, and sales. In the space of a day, this can be messy, requiring us to dig into the details of how data was created. From this, we hope to create new predictors that could be incorporated into our models. My team focuses on solving various technical problems across the organization daily. Over time, each day’s work contributes to achieving bigger goals. I see it as solving one or two subproblems per day, which over time, feeds into solving a larger problem that serves a bigger purpose. As we finish projects, we build on that success by developing new models and making new insights. For example, a recently deployed model achieved sales forecasting accuracy of nearly 100 percent. 


Universities Urged to Defend Sensitive Research From Hackers

Lawmakers should set a minimum standard around what constitutes acceptable security for any research institutions that are either federally funded or receive federal subsidies, Evanina told the committee. Much of government doesn't have a real understanding of the academic culture and has therefore taken a "search and replace" approach to regulation, in which nonprofit universities and for-profit businesses are expected to follow the same rules, Gamache said. Poorly designed federal mandates attempting to fix cybersecurity in higher education could actually cause harm, he warned. But over the past five years, Gamache says, a number of federal agencies have really tried to understand what the academic community is all about. The FBI has led the way in this effort by going all-in on initiatives such as the Academic Security and Counter Exploitation Program, and the Department of Commerce has also become more engaged, according to Gamache.



Quote for the day:

"The art of communication is the language of leadership." -- James Humes

No comments:

Post a Comment