Daily Tech Digest - December 20, 2022

Ransomware: It’s coming for your backup servers

Backup and recovery systems are at risk for two types of ransomware attacks: encryption and exfiltration – and most on-premises backup servers are wide open to both. This makes backup systems themselves the primary target of some ransomware groups, and warrants special attention. Hackers understand that backup servers are often under-protected and administered by junior personnel that are less well versed in information security. And it seems no one wants to do something about it lest they become the new backup expert responsible for the server. This is an age-old problem that can allow backup systems to pass under the radar of sound processes that protect most servers. It should be just the opposite. Backup server should be the most updated and secure systems in the data center. They should be the hardest to login to as Administrator or root. And they should require jumping through the most hoops to login remotely. An important role backup servers play is providing the means to recover from a ransomware attack without paying the ransom. 

How We Improved Application’s Resiliency by Uncovering Our Hidden Issues Using Chaos Testing

The goal of chaos engineering is to educate and inform the organization of unknown vulnerabilities and previously unanticipated outcomes of a computer system. A primary focus of these complex testing procedures is to identify hidden problems that can potentially arise during production environments prior to an outage failure outside of the organization’s control. Only then can the disaster recovery team address systematic weaknesses and enhance the system’s overall fault-tolerance and resiliency. Hence, Chaos testing is being carried out at various levels. ... Chaos testing is a new concept, but we always had the mindset to perform it, and we did perform it sometimes, without knowing that it was a chaos testing. It has its own principles, benefits and pitfalls. However, I would advise all teams to weigh the pros and cons of conducting these tests before formulating a plan. You should be very clear as to what you want to achieve from these disruptive tests. Take permissions from your bosses and convince them why it is important to carry out these tests. 

How Our Behavioral Bad Habits Are a Community Trait and Security Problem

Internal naming groups and conventions become exposed to the outside world in a variety of ways. They're buried in website code, detailed in technical documentation or as part of APIs, or just simply published in public system information. Admittedly, this is a very large haystack, but finding the needles is exactly what the patent I was involved in (US Patent 10,515,219) endeavors to do. Site-scanning tools collect a range of information, and unsurprisingly, an overload of information. My approach strips out all the technical programming information (such as markup, JavaScript, etc.), and leaves just words. It then compares results with lists of English words. The algorithm then identifies groupings of words or abbreviations not present in the selected language that, presumably, may signify an internal naming convention or credentials. As is common with brute-force campaigns, it may not, but as the axiom goes, the attacker only needs to be right once, so the ability to generate context-sensitive word lists may make or break your next campaign. This is when the picture may start to become clearer and the shape of things such as user groups, system names, etc., manifest.

The Agile Compromise Calls for Courage

We cannot eliminate the risk of building the wrong thing with better design and more focus groups. We can only do it by shorter and more frequent iterations of a working product that is incomplete and maybe not that great yet. That’s the Agile compromise. Shorter cycles decrease the risk of building the wrong thing but increase the risk of degrading the process. Accruing technical debt is one. Not a necessary consequence, just a standard price to pay for quicker deliveries. No pundit with stories about the constant commitment to quality will convince me otherwise. If you want greater speed, accept more risks. The Agile compromise towards risk-taking also recognizes that software, as a creative discipline, by nature exposes black swans: the risks we didn’t know we would ever run into. No engineering approach provides full reassurance against them, nor can testing and validation ever give you full peace of mind. It’s a little bit scary, but if you pride yourself on an Agile mindset, you must embrace it. Software is complex rather than complicated. Its many moving parts behave in unpredictable ways when unleashed on the world. Risks are a natural part of that property.

GPT: High-tech parlor trick or the first real AI for everyday use?

In many cases, such as ChatGPT, AI is still a parlor trick that will enthrall us until the next trick comes along. In some cases, it’s a useful technology that can augment both human and machine activities through incredibly fast analysis of huge volumes of data to propose a known reaction. You can see the promise of that in the GPT-fueled Copysmith.AI even as you experience the Potemkin village reality of today. At a basic level, AI is pattern matching and correlation done at incredible speeds that allow for fast reactions — faster than what people can do in some cases, like detecting cyberattacks and improving many enterprise activities. The underlying algorithms and the training models that form the engines of AI try to impose some sense onto the information and derived patterns, as well as the consequent reactions. AI is not simply about knowledge or information, though the more information it can successfully correlate and assess, the better AI can function. AI is also not intelligent like humans, cats, dogs, octopi, and so many other creatures in our world.

How you can stop corporate login credential theft

Organizations should take a layered approach to credential management. The goal is to reduce the number of sites users have to put passwords into. Organizations should endeavor to implement single sign-on (SSO) for all reputable necessary work applications and websites. All SaaS providers should support SSO. If there are logins that require different credentials, a password manager would be helpful in the interim. This also provides a way for employees to know if a login page can be trusted, as the password manager won’t offer credentials up for a site it does not recognize. Organizations should also enable multi-factor authentication (MFA) to secure logins. FIDO2 is also gaining adoption. It will provide a more robust solution than traditional authenticator apps, although those apps are still better than codes sent via text messages. Not all of this is foolproof, and risky login pages could slip through the net. A last resort is needed for flagging risky login pages to employees. This can be done by analyzing, in real time, threat intelligence metrics, webpage similarities, domain age and how users got to a login page. 

Security Risks, Serious Vulnerabilities Rampant Among XIoT Devices in the Workplace

The potential intent of assorted Chinese hardware manufacturers (such as Huawei and ZTE) led to a 2018 ban on use of their equipment by federal agencies. These devices remain widely in use in private organizations, however, and sometimes banned devices slip through dragnets via the process of “white labeling”. Organizations also often do not have visibility into the code that XIoT devices run on. When these devices draw on third-party firmware libraries, several possible security risks emerge. One is simply that the vendor will abandon support for the device, no longer issuing security patches to address emerging vulnerabilities. Another is that the code may be maintained by open source developers, who have the capability to insert malicious elements or even abandon or spike the project unexpectedly. A simple problem that has dogged XIoT devices from the very beginning also remains; the manufacturers are often not tech outfits and thus are not familiar with security by design elements, and/or do not have the budget in place to add them and still come in at their desired price points in competitive markets.

Understanding e-signatures: the key differences and requirements

A QES is considered to have more probative value than an AES, which means that courts will give more weight as evidence. The first key difference is that they offer a higher level of security than AES. This is because qualified signatures are created using a qualified signature creation device (QSCD), which stores the signing key. Examples of physical QSCDs include smart cards, SIM cards or USB tokens. It’s also possible for signatories to create a QES without having a physical device in their hands. In this instance, signatories remotely access a signing key, which is stored in a trusted service provider’s data centre. This is often the preferred choice for organisations since it streamlines device management. A QES must also be based on a ‘qualified certificate for electronic signatures’, which is another key difference between an AES and a QES. Only ‘Qualified trust service providers’ (QTSPs) listed on the European Union’s trusted provider database can issue this certificate. To become a QTSP, organisations must successfully complete a series of evaluations and audits that ensure compliance with eIDAS regulations.

Top cloud strategy mistakes CIOs can’t help making

“Not architecting for the cloud,” says IDC analyst Dave McCarthy, when asked where CIOs commonly go wrong when building their cloud strategy. “While it is possible to ‘lift and shift’ existing workloads, enterprises often experience less than desirable costs and performance with this approach. You need to adapt applications to cloud-native concepts to realize the full value.” CIOs also often make the mistake of “not implementing enough automation,” says McCarthy, who is research vice president of cloud and edge infrastructure services for IDC. “Best practices in cloud include automating everything from the deployment of infrastructure and applications to management and security. Most outages or security breaches are the result of manual misconfigurations. But perhaps the worst sin CIOs can make, analysts across the spectrum agree, is fail to plan for the shift in culture and skills required to devise and implement a successful cloud strategy. The cloud functions differently than traditional IT systems, and a cloud strategy must not only require new skills but a change in thinking about how to design and manage the environment, McCarthy says.

What is a business architect and how do you become one?

An enterprise architecture is comprised of different kinds of components (business strategy and outcome, technology platforms and infrastructure, and security), and a business architecture encompasses how all these things come together to best serve the business. It is a component of enterprise architecture. My responsibility as a business architect is to manage the business architecture practice and its governance. I primarily focus on establishing standards and best practices for our team's deliverables and developing relationships within our organization. I also collect information on our business and map domains (including capabilities, value streams, information, and organization) according to the business architecture framework to gain insights. I think business architecture is foundational to organizations today. A strategy is a plan of action to achieve a goal. My team receives business ideas and potential projects that align with our organization's strategies and influence our performance as a leader in our market. 

Quote for the day:

"The leader has to be practical and a realist, yet must talk the language of the visionary and the idealist." -- Eric Hoffer

No comments:

Post a Comment