MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches
When an organization's multi-factor authentication is configured to use 'push'
notifications, the employee sees a prompt on their mobile device when someone
tries to log in with their credentials. These MFA push notifications ask the
user to verify the login attempt and will show where the login is being
attempted. An MFA Fatigue attack is when a threat actor runs a script that
attempts to log in with stolen credentials over and over, causing what feels
like an endless stream of MFA push requests to be sent to the account's
owner's mobile device. The goal is to keep this up, day and night, to break
down the target's cybersecurity posture and inflict a sense of "fatigue"
regarding these MFA prompts. ... Ultimately, the targets get so overwhelmed
that they accidentally click on the 'Approve' button or simply accept the MFA
request to stop the deluge of notifications they were receiving on their
phone. This type of social engineer technique has proven to be very successful
by the Lapsus$ and Yanluowang threat actors when breaching large and
well-known organizations, such as Microsoft, Cisco, and now Uber.
Forget digital transformation: data transformation is what you need
One of the most critical aspects of digital transformation is understanding
how your organisation leverages data. Once you know how your organisation uses
data, you can work on optimising data usage and applying analytics and
insights to drive better business outcomes. If you don’t have a data strategy
in place, your organisation will likely struggle with leveraging data for
digital transformation efforts. Without a data strategy, it isn’t easy to know
where your data is coming from, what type of data you have, and what you plan
to do with it. Having a data strategy in place will help you determine where
your data is coming from, what type of data you have, and what you plan to do
with it, thus allowing you to create a plan for leveraging data for digital
transformation efforts. If you want to leverage data for your digital
transformation efforts, you should do a few things. First, you need to
understand your data. This means assessing your data sources and determining
what type of data you currently access. You also need to decide which data
sources you need and where you can find them.
The human touch
Combining human and machine capabilities can create a sharper focus to how we
view the world around us. So how do you square the two? How do you choose
between humans, who excel at their understanding of context and nuance but
cannot make consistent decisions, and automated processes, which are far
better at being objective but don’t understand the decisions they’re making?
The answer comes in recognizing that, while humans and machines are flawed,
they are flawed in different ways. When it comes to combining them, you could
start, naively, by thinking about the technology first, and expect human
operators to fill in the gaps of what the system can’t yet do. Or (better) you
can do things the other way around. The contrast between the technology-first
and human-first approaches is well illustrated by the development of
driverless cars in the last few years. Humans aren’t very good at paying
attention for long periods of time, and driverless cars with human monitors
have struggled to live up to their early promise. Meanwhile, collision
avoidance systems – which largely use much of the same technology – are a good
example of building a system around the human
There’s one thing that makes employees want to return to the office, says a new Microsoft report
Microsoft’s study found that 84% of people would be motivated to come into
work more frequently by the promise of being able to enhance connections with
coworkers. But most bosses are trying to use corporate policies to force them
back, rather than using those human connections as leverage. “It turns out
that in person connections with the person that [you] work with are the
biggest draw,” says Spataro. “They’re bigger than tacos. The idea that I can
actually connect with my coworker really, really matters.” Workers are
demanding flexibility, which is how the hybrid work week has come into vogue.
But Spataro says he thinks, ultimately, the workplace will be looking like the
office we know from the pre-pandemic days, but with a lot more flexibility.
... Workers are demanding flexibility, which is how the hybrid work week has
come into vogue. But Spataro says he thinks, ultimately, the workplace will be
looking like the office we know from the pre-pandemic days, but with a lot
more flexibility.
Planning the journey from SD-WAN to SASE
Today, organizations are working toward creating a more robust framework of
integrated security and networking technologies referred to as Secure Access
Service Edge (SASE). This is essentially a combination of SD-WAN and other
networking technologies and security services, with the latter now referred to
as security service edge (SSE). SSE encompasses a number of security functions
to provide the requisite levels of secure connectivity with functionality such
as zero-trust network access (ZTNA), data loss prevention (DLP), cloud access
security brokers and more. Moving forward, network and security vendors are
working to deliver tighter integration with third parties or provide a fully
integrated product with both SD-WAN and SSE. Because of SD-WAN's rapid
adoption to support direct internet access, organizations can leverage
existing products to serve as a foundation for their SASE implementations.
This would be true for both do-it-yourself as well as managed services
implementations. If you are still in the planning stages for an integrated
SASE deployment, you aren't alone.
What could be the cause of growing API security incidents?
Critical infrastructure sectors such as manufacturing and energy &
utilities, which typically rely on legacy systems, ranked unfavourably when
measured on a number of metrics. They ranked worst on the percentage of API
security incidents in the last 12 months, with 79% of manufacturing and 78% of
energy & utilities respondents saying they had experienced incidents, of
which they were aware. Energy & utilities companies were also the least
likely to have a full inventory of APIs and know which return sensitive data,
with just 19% confident about this issue. Manufacturing organizations found it
most difficult to scale API security solutions, with just 30% saying they
found it easy. Furthermore, real-time testing was at its lowest in energy
& utilities (7%), whilst manufacturing, and energy & utilities were
most likely to conduct API security testing less frequently than once per
month, with 20% and 21% doing this, respectively. The relative lack of testing
in these critical infrastructure sectors correlates with the number of API
security incidents they have suffered in the last 12 months.
Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards
The campaign is not the first time that threat actors have abused LinkedIn's
Smart Links feature — or Slinks, as some call it — in a phishing operation.
But it marks one of the rare instances where emails containing doctored
LinkedIn Slinks have ended up in user inboxes, says Brad Haas, senior
intelligence analyst at Cofense. The phishing protection services vendor is
currently tracking the ongoing Slovakian campaign and this week issued a
report on its analysis of the threat so far. LinkedIn's Smart Links is a
marketing feature that lets users who are subscribed to its Premium service
direct others to content the sender want them to see. The feature allows users
to use a single LinkedIn URL to point users to multiple marketing collateral —
such as documents, Excel files, PDFs, images, and webpages. Recipients receive
a LinkedIn link that, when clicked, redirects them to the content behind it.
LinkedIn Slinks allows users to get relatively detailed information on who
might viewed the content, how they might have interacted with it, and other
details.
Clive Humby – data can predict nearly everything about running a business
You really need to think about three things: first, you need to think about
what do I really need? In the grocery world, the past four weeks’ transactions
compared to the year-on-year sales are much more insightful than having
everything because you want to know what’s changed. How do sales compare from
this Easter to last Easter, this Christmas to last Christmas? Understanding
relative movement in data. The second thing is to reduces the level of
granularity in your data into what I call “baskets of interest”. I am much
more interested in the mix of groceries you buy than individual items. And the
third thing, while you might have a warehouse of data with everything in
probably every decision you make will need of less than half a per cent for
the data. Not trying to analyse all of your data, all the time. If you are
looking for trends you don’t need to look at all of the data, just look at 10
per cent of the data. People tend to over-engineer because the technology
companies have told them to.
Data science engineer: A day in the life
Between communication, data engineering, meaningful result reporting, and
more, data scientists have many goals. At Xactly, my daily goal is to
illustrate to the rest of the organization and our customers the value of our
data. Strategy and evangelization are a huge priority. It’s important to
illustrate how data science is useful in other departments like engineering,
marketing, customer experience, and sales. In the space of a day, this can be
messy, requiring us to dig into the details of how data was created. From
this, we hope to create new predictors that could be incorporated into our
models. My team focuses on solving various technical problems across the
organization daily. Over time, each day’s work contributes to achieving bigger
goals. I see it as solving one or two subproblems per day, which over time,
feeds into solving a larger problem that serves a bigger purpose. As we finish
projects, we build on that success by developing new models and making new
insights. For example, a recently deployed model achieved sales forecasting
accuracy of nearly 100 percent.
Universities Urged to Defend Sensitive Research From Hackers
Lawmakers should set a minimum standard around what constitutes acceptable
security for any research institutions that are either federally funded or
receive federal subsidies, Evanina told the committee. Much of government
doesn't have a real understanding of the academic culture and has therefore
taken a "search and replace" approach to regulation, in which nonprofit
universities and for-profit businesses are expected to follow the same rules,
Gamache said. Poorly designed federal mandates attempting to fix cybersecurity
in higher education could actually cause harm, he warned. But over the past
five years, Gamache says, a number of federal agencies have really tried to
understand what the academic community is all about. The FBI has led the way
in this effort by going all-in on initiatives such as the Academic Security
and Counter Exploitation Program, and the Department of Commerce has also
become more engaged, according to Gamache.
Quote for the day:
"The art of communication is the
language of leadership." -- James Humes
