Customer.io Email Data Breach Larger Than Just OpenSea
The company is not revealing how many emails are now at heightened risk of
phishing attempts as a result of the "deliberate actions" of the former
employee. Non-fungible token marketplace platform OpenSea partially divulged the
incident late last month when it warned anyone who had ever shared an email
address with it about the unauthorized transfer of contact information.
Approximately 1.9 million users have made at least one transaction on the
platform, shows data from blockchain market firm Dune Analytics. Customer.io did
not identify the other affected companies to Information Security Media Group or
specify the sectors in which they operate. The affected parties have been
alerted, the company says. The incident underscores the continuing threat posed
by insiders, who account for 20% of all security incidents, according to the
most recent Verizon Data Breach Incident Report. The costs of insider breaches,
whether caused by human error or bad actors, are going up, and the Ponemon
Institute found a 47% increase over the past two years.
Making the DevOps Pipeline Transparent and Governable
When DevOps was an egg, it really was an approach that was radically different
from the norm. And what I mean, obviously for people that remember it back then,
it was the continuous... Had nothing to do with Agile. It was really about
continuous delivery of software into the environment in small chunks,
microservices coming up. It was delivering very specific pieces of code into the
infrastructure, continuously, evaluating the impact of that release and then
making adjustments and change in respect to the feedback that gave you. So the
fail forward thing was very much an accepted behavior, what it didn't do at the
time, and it sort of glossed over it a bit, was it did remove a lot of the
compliance and regulatory type of mandatory things that people would use in the
more traditional ways of developing and delivering code, but it was a fledging
practice. And from that base form, it became a much, much bigger one. So really
what that culturally meant was initially it was many, many small teams working
in combination of a bigger outcome, whether it was stories in support of epics
or whatever the response was.
SQL injection, XSS vulnerabilities continue to plague organizations
Critical and high findings were low in mobile apps, just over 7% for Android
apps and close to 5% for iOS programs. Among the most common high and critical
errors in mobile apps identified in the report were hard-coded credentials into
apps. Using these credentials, attackers can gain access to sensitive
information, the report explained. More than 75% of the errors found in APIs
were in the low category. However, the report warns that low risk doesn’t equate
to no risk. Threat actors don’t consider the severity of the findings before
they exploit a vulnerability, it warned. Among the highest critical risks found
in APIs were function-level controls missing (47.55%) and Log4Shell
vulnerabilities (17.48%). Of all high and critical findings across companies,
the report noted, 87% were found in organizations with fewer than 200 employees.
The report identified several reasons for that, including cybersecurity being an
afterthought in relatively small organizations; a dearth of bandwidth, security
know-how, and staffing; a lack of security leadership and budget; and the speed
of business overpowering the need of doing business securely.
Three golden rules for building the business case for Kubernetes
Cost, customer service and efficiency are the three typical considerations any
business weighs up when it comes to making new investments. Will a new
initiative reduce costs in the long run, and be worth the initial expense, is
a question decision makers weigh up all the time. Kubernetes does this because
it addresses the challenge that comes in managing the potentially thousands or
tens of thousands of containers a large enterprise might have deployed. ...
The second consideration is whether the investment will mitigate the risk of
losing a customer. Is the ability to serve their needs improved as a result of
the changes? Again, Kubernetes meets the criteria here. By taking a
microservices approach to applications, it allows them and the underlying
resources they need to be scaled up or down, based on the current needs of the
organization. ... The third and final consideration is whether the new
technology or initiative will improve the ways the business operates. What
might it achieve that a business couldn’t do before?
Infrastructure-as-Code Goes Low Code/No Code
The cross-disciplinary skills required by IaC — someone with security,
operations and coding experience — is a niche, Thiruvengadam told The New
Stack. The San Jose, Calif.-based DuploCloud targets that need with a
low-code/no-code solution. “The general idea with Duplo cloud is that you can
use infrastructure-as-code, but you just have to write a lot less lines of
code,” he said. “A lot of people who don’t have all the three skill sets still
can operate at the same scale and efficiency, using this technology — that’s
fundamentally the core advantage.” Unlike some solutions, which rely on
ready-made modules or libraries, Thiruvengadam said that DuploCloud uses a low
code interface to put together the rules for its rules-based engine, which
then runs through the rules to produce the output. The self-hosted
single-tenant solution is deployed within the customer’s cloud account.
Currently, it supports deployment on Amazon Web Services, Microsoft Azure and
Google Cloud, and it can run on-premise as well.
The Compelling Implications of Using a Blockchain to Record and Verify Patent Assignments
Smart contracts could be used to put various types of conditions and
obligations on a patent asset. For example, companies might incentivize their
inventors to disclose more inventions by placing an obligation on all future
owners of an asset to pay the inventors some percentage of future licensing,
sales, settlements, or judgments involving to that asset (e.g., the inventors
get 10% of the total value of such transactions). This would allow inventors
of commercially-valuable patents to enjoy the financial benefits of their
inventions in a fashion that is more equitable than, say, a one-time nominal
payout upon filing or grant. Since patents can only be asserted when all
owners agree to do so, such contracts would have to clearly separate ownership
of a patent asset from an obligation of the owner to compensate a previous
owner for the asset's future revenue. Another potential use of smart contracts
would be for ownership of an issued patent to revert to its previous owner
should the current owner fail to pay maintenance fees on time.
Breaking down the crypto ecosystem
According to several Indian and global reports reduction in transaction costs
is further expected to propel this market growth in the next few years. In
line with global trends, increasing adoption of the digital currency by
businesses coupled with talks of a government-backed digital currency in the
country, is further anticipated to bolster the growth of the cryptocurrency
market. In the present Web 2.0 environment establishing trust and creating
social identities of the network participants has been an uphill task that the
ecosystem is unable to overcome. And since almost all economic value is traded
based on human relationships, it is a fundamental roadblock to innovation and
growth in Web 2.0. However, the outburst of cryptocurrency and Blockchain has
fuelled a rapid transition towards Web 3.0 where we have witnessed exponential
growth especially in enablers like NFTs, which has made possible acquiring,
storing, and distributing economic value among users. In fact, the
introduction of SBTs (SoulBound Tokens) could be the final piece in the puzzle
for the Web 3.0 ecosystem.
What is observability? A beginner's guide
For decades, businesses that control and depend on complex distributed systems
have struggled to deal with problems whose symptoms are often buried in floods
of irrelevant data or those that show high-level symptoms of underlying
issues. The science of root cause analysis grew out of this problem, as did
the current focus on observability. By focusing on the states of a system
rather than on the state of the elements of the system, observability provides
a better view of the system's functionality and ability to serve its mission.
It also provides an optimum user and customer experience. Observability is
proactive where necessary, meaning it includes techniques to add visibility to
areas where it might be lacking. In addition, it is reactive in that it
prioritizes existing critical data. Observability can also tie raw data back
to more useful "state of IT" measures, such as key performance indicators
(KPIs), which are effectively a summation of conditions to represent broad
user experience and satisfaction.
10 trends shaping the chief data officer role
CDOs may need to rethink cybersecurity in response to the growth of the data
sources and volume of data, said Christopher Scheefer, vice president of
intelligent industry at Capgemini Americas. These new and nontraditional data
streams require additional methods of securing and managing access to data.
"The importance of cybersecurity in a pervasively connected world is a trend
many CDOs cannot ignore due to the growing threats of IP infringement,
regulatory risks and exposure to a potentially damaging event," Scheefer said.
Rethinking and reimagining cybersecurity is no small feat. The level of
complexity of integrating connected products and operations into the business
presents an incredible amount of risk. Establishing proper governance, tools
and working with cybersecurity leadership is critical. It is the CDO's job to
ensure the business does not constrain itself, limiting external connections
and services that could bring competitive advantage and paths to growth,
Scheefer said.
Streamlining Unstructured Data Migration for M&A and Divestitures
It’s common to take all or most of the data from the original entity and dump
it onto storage infrastructure at the new company. While this may seem like
the simplest way to handle a data migration, it’s problematic for several
reasons. First, it’s highly inefficient. You end up transferring lots of data
that the new business may not actually need or records for which the mandatory
retention period may have expired. A blind data dump from one business to
another also increases the risk that you’ll run afoul of compliance or
security requirements that apply to the new business entity but not the
original one. For instance, the new business may be subject to GDPR data
privacy mandates because of its location in Europe. But if you simply move
data between businesses without knowing what’s in the data or which mandates
it needs to meet, you’re unlikely to meet the requirements following the
transfer. Last but not least, blindly moving and storing data deprives you of
the ability to trace the origins of data after the fact.
Quote for the day:
"Leaders must be good listeners. It's
rule number one, and it's the most powerful thing they can do to build
trusted relationships." -- Lee Ellis
