Tips To Strengthen API Security
Plugging these above holes is a good start. However, these are only defensive
measures against known patterns; they aren’t helping you keep guard for
nuanced attack types. Ideally, security systems should stop cyberattacks
before they even get started. Yet, Eliyahu recognizes a big gap in how APIs
are monitored. Organizations “don’t have proper tools to know who is looking
for vulnerabilities,” he said. “Tools are typically not that advanced. They
mainly look for injections and known patterns.” Imagine a hacker probing an
API. They will likely do so by trial and error, testing undocumented
endpoints, sending malformed requests and so on. “They need to probe for hours
or days before they find something,” said Eliyahu. If an AI could detect these
odd attempts in minutes or seconds, IT could significantly reduce risk.
Security solutions should thus leverage big data and AI to create baselines of
typical behavior, then deter malicious activity the millisecond any nefarious
probing begins. Eliyahu said such a security AI must consider dozens of
behaviors such as, How is the API being accessed? What parameters are being
used? What are the relationships between parameters? What is the flow of API
calls? What type of data can be exposed?
UK, French, Belgian blanket spying systems ruled illegal by Europe’s top court
In layman’s terms that means that a government can’t build a massive database
of what everyone does and then query it later while investigating a case.
Instead, they will need to carry out targeted surveillance and data retention
- identifying specific people or accounts or phone numbers - and have a court
review those requests to make sure they are not overly broad. The ruling is
significant because it directly addresses the issue of national security -
something that has been used for years to bypass existing personal data
protection legislation - and states categorically that EU privacy laws still
apply in such circumstances, almost always. The decision includes a specific
carve-out when it comes to national security, noting that “in situations where
a Member State is facing a serious threat to national security that proves to
be genuine and present or foreseeable, that Member State may derogate from the
obligation to ensure the confidentiality of data relating to electronic
communications by requiring, by way of legislative measures, the general and
indiscriminate retention of that data for a period that is limited in time to
what is strictly necessary, but which may be extended if the threat persists.”
New Flaws in Top Antivirus Software Could Make Computers More Vulnerable
According to a report published by CyberArk researcher Eran Shimony today and
shared with The Hacker News, the high privileges often associated with
anti-malware products render them more vulnerable to exploitation via file
manipulation attacks, resulting in a scenario where malware gains elevated
permissions on the system. The bugs impact a wide range of antivirus
solutions, including those from Kaspersky, McAfee, Symantec, Fortinet, Check
Point, Trend Micro, Avira, and Microsoft Defender, each of which has been
fixed by the respective vendor. Chief among the flaws is the ability to delete
files from arbitrary locations, allowing the attacker to delete any file in
the system, as well as a file corruption vulnerability that permits a bad
actor to eliminate the content of any file in the system. Per CyberArk, the
bugs result from default DACLs (short for Discretionary Access Control Lists)
for the "C:\ProgramData" folder of Windows, which are by applications to store
data for standard users without requiring additional permissions. Given that
every user has both write and delete permission on the base level of the
directory, it raises the likelihood of a privilege escalation when a
non-privileged process creates a new folder in "ProgramData" that could be
later accessed by a privileged process.
How organizations can maintain a third-party risk management program from day one
First and foremost, we really took our time to hire subject matter experts in
our industry. We’ve got lots of practitioners that have years and years and
years of governance risk and compliance expertise. They’ve run third-party
risk programs for some of the largest banks and financial institutions in the
world. They’ve run risk programs at heavily regulated industries. Our people,
first and foremost, is a huge differentiator. Number two, our products. It’s
incredibly configurable, incredibly easy to use. But that’s such a common
thing that folks claim. I actually like to say it’s easy to administrate. Some
of the platforms that, if you will, we compete with. You can do those things,
but you need to pay IT developers or other developers or even the company that
you purchase the system from, to configure it for you. From our perspective,
we like to empower our clients to really run the programs and configure the
applications on their own. And so, from that perspective, I like to say, ease
of administration. It’s also easy to use. First and foremost, not just for our
clients, but for the vendors. So, think about it, if you’re an important
vendor in a vertical like financial services, you’re getting a million of
these questionnaires.
Game Development with .NET
All the .NET tools you are used to also work when making games. Visual Studio
is a great IDE that works with all .NET game engines on Windows and macOS. It
provides word-class debugging, AI-assisted code completion, code refactoring,
and cleanup. In addition, it provides real-time collaboration and productivity
tools for remote work. GitHub also provides all your DevOps needs. Host and
review code, manage projects, and build software alongside 50 million
developers with GitHub. The .NET game development ecosystem is rich. Some of
the .NET game engines depend on foundational work done by the open-source
community to create managed graphics APIs like SharpDX, SharpVulkan,
Vulkan.NET, and Veldrid. Xamarin also enables using platform native features
on iOS and Android. Beyond the .NET community, each game engine also has their
own community and user groups you can join and interact with. .NET is an
open-source platform with over 60,000+ contributors. It’s free and a solid
stable base for all your current and future game development needs. Head to
our new Game Development with .NET site to get an overview of what .NET
provides for you when making games. If you never used Unity, get started with
our step-by-step Unity get-started tutorial and script with C# as quick as
possible.
Suspected Chinese Hackers Unleash Malware That Can Survive OS Reinstalls
The company discovered the UEFI-based malware on machines belonging to two
victims. It works to create a Trojan file called "IntelUpdate.exe" in the
Startup Folder, which will reinstall itself even if the user finds it and
deletes it. "Since this logic is executed from the SPI flash, there is no way
to avoid this process other than eliminating the malicious firmware,"
Kaspersky Lab said. The malware's goal is to deliver other hacking tools on
the victim’s computer, including a document stealer, which will fetch files
from the “Recent Documents” directory before uploading them to the hacker’s
command and control server. Kaspersky Lab refrained from naming the
victims, but said the culprits have been going after computers belonging to
“diplomatic entities and NGOs in Africa, Asia, and Europe.” All the victims
have some connection to North Korea, be it through non-profit activities or an
actual presence in the country. While looking over the malware’s computer
code, Kaspersky Lab also noticed the processes can reach out to a command and
control server previously tied to a suspected Chinese state-sponsored hacking
group known as Winnti. In addition, the security firm found evidence the
creators behind the malware used the Chinese language while programming the
code.
Q&A on the Book Infinite Gamification
There are two types of gaming to consider here - either they are cheating or
they have found a cheap way to score points, a loophole in our program design.
For cheats, the best way to deal with this is to have a clear set of rules and
principles you expect players to follow, then if you find someone cheating you
can call them up and explain they are not acting according to the stated rules
of the program. In most cases, the person will desist but sometimes you do
need to enforce the ultimate sanction of kicking them off the program. The
second type of gaming, finding cheap ways to score points, is for you to fix.
The principle here is “don’t blame the gamer, blame the game”. There are lots
of techniques you can do - making that activity less valuable, capping the
number of points they can earn with that activity, and so on. The book lists
these. In order to do this though you need to have framed your program as one
that will iterate over time. Too many gamification programs are launched as if
these are the final rules and nothing can change - this is a recipe for
disaster; most programs aren’t right the first time around. Human nature being
what it is, by leaving room to evolve the program, you give yourself the
flexibility to get it right over time.
How to Survive a Crisis with AI-Driven Operations
As an enterprise turns to AI during a crisis -- whether for predictive sales
modelling or automating customer-center operations -- leaders must prioritize
developing employees’ core competencies around AI. Employees skilled in AI
will be of course be needed to develop and operate the new automation
advancements, but the benefit extends beyond this. AI-skilled employees can be
tapped to create a roadmap on how to best leverage the technology to drive
business value in times of crisis. Organizations should consider developing
internal reskilling and upskilling programs or using third party learning
platforms to help employees develop AI specializations. Employees can also be
instrumental in galvanizing coworkers to readily adopt new AI technology,
accelerating adoption rates as an organization looks to quickly scale up the
technology across the business to adjust operations in response to a crisis.
Enterprises need a clear data strategy around data governance in order to
scale up AI quickly and successfully. Ensuring they have a clear set of
repeatable protocols and methodologies in place to help them execute that
strategy effectively is critical, so leaders don’t have to worry about
compliance as they scale up AI in the face of a crisis.
5 blockchain use cases in finance that show value
Financial institutions traditionally work as intermediaries moving payments
between different entities, which involves complex and time-consuming
processes that add friction into transactions. Blockchain can streamline these
processes -- notably reconciliation as well as clearing and settlement -- by
removing the friction, thereby reducing the time and cost that financial
institutions incur. For example, in April 2020 European financial technology
company SIA launched a blockchain infrastructure to enable the Spunta Banca
DLT, a private permissioned distributed ledger technology-based project for
interbank reconciliation that is promoted by Italian Banking Association (ABI)
and coordinated and implemented by ABI Lab, a banking research and innovation
center. "The reconciliation process for interbank transactions in Italy --
formerly governed by the spunta process -- has been notoriously complex," said
Charley Cooper, managing director at R3, an enterprise blockchain technology
company. "With multiple parties involved, the task of identifying and
addressing inconsistencies has historically been hampered by a lack of
standardization, the use of piecemeal and fragmented communication methods and
no single version of the truth," he added.
Cloud data management – the post-Covid future of data protection for MSPs
The dynamic changes in 2020 have emphasized just how much MSPs need to be on
the front foot with innovative data management solutions. And those that are
pivoting to cloud data management are seeing both a boost in their revenue,
and an ability to Covid-proof operations. After all, customers with
on-site solutions may not be able to get an engineer visit in person.
Companies are shrinking, or growing, rapidly, and need to be able to scale up
or down accordingly – without hitting the bottom line. And for remote users
the expectation is that they can work wherever they need to, whenever they
need to. The only way MSPs can help companies meet these challenges is with
cloud data management. ... Unify complex data: With a one-stop, cloud-data
management platform, MSPs can stream customers' backup, archive and DR data,
while offering invaluable insight into entire data estates. This enables them
to gain borderless visibility of all critical data, structured and
unstructured - from a single control center in real time. Importantly this
includes Microsoft 365 and G Suite data. Eliminate downtime: Modern solutions
now instantly restore individual files or whole systems, using user-driven
recovery methods.
Quote for the day:
"Distinguished leaders impress, inspire and invest in other leaders." -- Anyaele Sam Chiyson
