Remote work at industrial sites brings extra cyber risk
Consider an automation engineer who needs access to control system configuration
data remotely to analyze and optimize an industrial process. Giving remote
access directly to the engineering workstation for the control system increases
cybersecurity risk for an industrial company. In many cases, these control
systems are 20 or even 30 years old, so they weren't built with cybersecurity in
mind. Because of their critical nature in driving revenue for the business, they
are shut down and upgraded very infrequently as compared to IT systems. It is
not uncommon to have these control systems run for five to 10 years between
shutdown and maintenance routines. Therefore, they often contain known
cybersecurity vulnerabilities that are unpatched even if those patches have been
available for years. So, back to our example of the automation engineer, it
would be very risky to enable direct access to the control system engineering
workstation over the public internet even if the engineer connects to a
corporate VPN first from their home office. As a result, we recommend industrial
customers maintain separate copies of their industrial control system
configurations in an asset management system that the engineer can access
remotely.
10 Top Open Source API Gateways and Management Tools
Kong Gateway (OSS) is a popular, open-source, and advanced cloud-native API
gateway built for universal deployment: it can run on any platform. It is
written in Lua programming language and supports hybrid and multi-cloud
infrastructure, and it is optimized for microservices and distributed
architectures. At its core, Kong is built for high performance, extensibility,
and portability. Kong is also lightweight, fast, and scalable. It supports
declarative configuration without a database, using in-memory storage only, and
native Kubernative CRDs. Kong features load balancing (with different
algorithms), logging, authentication (support for OAuth2.0), rate-limiting,
transformations, live monitoring, service discovery, caching, failure detection
and recovery, clustering, and much more. Importantly, Kong supports the
clustering of nodes and serverless functions. It supports the configuration of
proxies for your services, and serve them over SSL, or use WebSockets. It can
load balance traffic through replicas of your upstream services, monitor the
availability of your services, and adjust its load balancing accordingly.
Three ways to bridge the IT skills gap in a post-pandemic world
New environments require new expertise. When it comes to cloud, for example, the
challenge of building, maintaining and monitoring a complex cloud infrastructure
is often beyond the capabilities or knowhow of existing staff. Moreover, the
technology landscape shifts so often that many teams simply can’t keep up.
According to Gartner, a majority (80%) of today’s workers feel they don’t have
the skills required for their current role and future career. Compounding the
issue, 53% of business leaders struggle to find candidates with the right
abilities during the hiring process. ... Hiring new talent may seem like the
first, most obvious solution. This enables organisations to pinpoint the type of
candidate they require, and only interview those that will fulfil that need.
However, hiring externally is made more difficult when looking for more niche
capabilities, and it certainly costs more. The pool of potential candidates is
extremely small when recruiting for roles that demand advanced IT skills, like
cloud-native orchestration, SAP expertise or DevOps, and organisations end up
paying a premium. Another obstacle when looking to hire skills from outside is
that next year’s IT budgets are likely to be reduced thanks to Covid-19. While
it isn’t wrong to hire new team members to support your existing IT team, and it
will indeed be the right choice in certain situations, it certainly isn’t the
only answer.
Will Russian Cryptocurrency Law Drive Hacker Recruitment?
Under the law, banks and exchanges in Russia can handle digital currency,
provided they register with the Bank of Russia - the country's central bank -
and maintain a register of all operators and transactions. The law also states
that only institutions and individuals who have declared transactions to
authorities can later seek redress in court, for example, if someone steals
their cryptocurrency. "In Russia, the use of bitcoin and other crypto assets as
a means of payment is prohibited. There are no signs that a change in
legislation allowing crypto assets to be used as a means of payment in Russia
will be forthcoming," legislator Anatoly Aksakov, the chief backer of
legislation designed to regulate the use of cryptocurrency, told Russian radio
station Govorit Moskva last month. "Taxation, compulsory declaration - these
things are already enforced by law," said Aksakov, who chairs the State Duma -
the lower house of the country's parliament - Committee on the Financial Market.
And going forward, he predicted "there will only be more and more control over
the holding of cryptocurrencies." Security experts say that for years, Russian
officials and intelligence agencies have looked the other way when it comes to
cybercrime, so long as criminals follow this rule: Never hack Russians or allied
countries.
A playbook for modernizing security operations
Most security operations centers are very reactive. Mature organizations are
moving toward more proactive hunting or threat hunting. A good example is if
you’re sending all of your logs through Azure Sentinel, you can do things like
Kusto Query Language and queries in analysis and data sets to look for unusual
activity. These organizations go through command line arguments, service
creations, parent-child process relationships, or Markov chaining, where you
can look at unusual deviations of parent-child process relationships or
unusual network activity. It’s a continual progression starting off with the
basics and becoming more advanced over time as you run through new emulation
criteria or simulation criteria through either red teaming or automation
tools. They can help you get good baselines of your environment and look for
unusual traffic that may indicate a potential compromise. Adversary emulations
are where you’re imitating a specific adversary attacker through known
techniques discovered through data breaches. For example, we look at what
happened with the SolarWinds supply chain attack—and kudos to Microsoft for
all the research out there—and we say, here are the techniques these specific
actors were using, and let’s build detections off of those so they can’t use
them again.
Overcoming Digital Transformation Challenges With The Cloud
The cloud can enhance information sharing and collaboration across data
platforms and digital ecosystems. Deloitte research shows 84% of physicians
expect secure, efficient sharing of patient data integrated into care in the
next five to 10 years. Real world evidence will be critically important in
enhancing digital healthcare with historical patient data, real-time
diagnostics, and personalized care. Organizations can leverage the cloud for
greater collaboration, data standardization, and interoperability across their
ecosystem. Research shows digital business ecosystems using cloud experience
greater customer satisfaction rates, with 96% of organizations surveyed saying
their brand is perceived better and saw improved revenue growth -- with
leaders reporting 6.7% average annual revenue growth (vs. 4.9% reported by
others). ... As organizations rely on the cloud, cloud security becomes
increasingly important for data integrity and workload and network security.
Information leakage, cloud misconfiguration, and supply chain risk are the top
concerns for organizations. A federated security model, zero trust approach,
and robust cloud security controls can help to remediate these risks, increase
business agility, and improve trust.
AI Can Now Identify Humans' Valnerabilities & Use Them To Influence Their Decision Making
A team of researchers at CSIRO’s Data61, the data and digital arm of
Australia’s national science agency, devised a systematic method of finding
and exploiting vulnerabilities in the ways people make choices, using a kind
of AI system called a recurrent neural network and deep
reinforcement-learning. To test their model they carried out three experiments
in which human participants played games against a computer. The first
experiment involved participants clicking on red or blue coloured boxes to win
a fake currency, with the AI learning the participant’s choice patterns and
guiding them towards a specific choice. The AI was successful about 70 percent
of the time. In the second experiment, participants were required to watch a
screen and press a button when they are shown a particular symbol (such as an
orange triangle) and not press it when they are shown another (say a blue
circle). Here, the AI set out to arrange the sequence of symbols so the
participants made more mistakes, and achieved an increase of almost 25
percent. The third experiment consisted of several rounds in which a
participant would pretend to be an investor giving money to a trustee (the
AI). The AI would then return an amount of money to the participant, who would
then decide how much to invest in the next round.
Dark web analysis shows high demand for hackers
The research found that in the vast majority of cases on these forums, most
individuals are looking for a hacker, and in 7 out of 10 ads, their main goal
is to gain access to a web resource. The research discovered that in 90% of
cases, users of dark web forums will search for hackers who can provide them
with access to a particular resource or who can download a user database. Only
seven percent of forum messages analyzed included individuals offering to hack
websites. The remaining three percent of the messages analysed were aimed at
promoting hacking tools, programs and finding like-minded people to share
hacking experience. Positive Technologies analyst, Yana Yurakova said: “Since
March 2020, we have noticed a surge of interest in website hacking, which is
seen by the increase in the number of ads on forums on the dark web. This may
have been caused by an increase in the number of companies available via the
internet, which was triggered by the COVID-19 pandemic. “As a result of this,
organizations that previously worked offline were forced to go online in order
to maintain their customers and profits, and cybercriminals, naturally, took
advantage of this situation.”
Digital Trends 2021: Responsible Business Puts Trust, Ethics, And Sustainability First
Many businesses have done some soul-searching in the wake of the pandemic,
political discord, and long-simmering equity demands. Two years ago, Business
Roundtable, an association of U.S.-based CEOs, updated its purpose statement
of a corporation to "take into account all stakeholders, including employees,
customers, and the community,” rather than only profit. Maybe that’s partly
why Gartner analysts predicted the emergence of responsible AI, meaning the
operationalization of AI accountability across organizations and society. They
saw responsible AI as an umbrella term covering many aspects of AI
implementations including value, risk, trust, transparency, ethics, fairness,
interpretability, accountability, safety, and compliance. Most analysts
predicted that sentiment analyses and metrics documenting a company’s
contributions to society’s measurements will matter even more in 2021 and over
time. Gartner analysts predicted 30 percent of major organizations will use a
“voice of society” metric to act on societal issues, and assess the impacts to
their business performance by 2024. Turns out what’s damaging to society is
damaging to business.
Agile Approaches for Building in Quality
Built-in Quality is a core pillar in agile. If you take Scrum for instance,
the team should deliver potentially shippable products. These done increments
are to be of sufficient quality. We like to say that quality is built in the
product. When working with multiple teams on one product or service, we can
apply a scaling agile framework. There are a few scaling agile frameworks,
e.g. LeSS, Nexus and SAFe. The latter is most prescriptive, so I like to look
at SAFe to answer this question. SAFe states BIQ to be one of its fundamental
pillars and advises a few practises: Think test first, automate your tests,
have a regression test strategy, set up CI/CD pipelines and embed quality in
the development process. The other frameworks are less explicit but expect you
to do good Scrum, so with that, they embrace all these development practices
as well. ... Agile coaches help teams and organisations to embrace the agile
way of working. I think agile coaching evolves into three roles: the agile
counsellor, the delivery coach, and the team coach. The team coach typically
helps the team with understanding the agile principles and mindset. In this
role, the coach can create awareness at the team level for the typical
development practices I talked about earlier.
Quote for the day:
"Generosity is giving more than you
can, and pride is taking less than you need." -- Kahlil Gibran
