Friday, June 22, 2018

Disgruntled employees can pose serious threat


Tesla, the American multinational corporation that specializes in electric vehicles, energy storage and solar panels. A disgruntled Tesla employee broke into the company’s manufacturing operating system and sent highly sensitive data to unknown third parties. This is a steadily growing trend that is being witnessed in various parts of the world. Unhappy employees / sacked employees and some cases even high performing ex-employees try to actively damage their ex-employer. Such employees should be ashamed of themselves.

What can Employers do?

well, there is help available now. Technology can help address this issue. We now have Behavior analysis solutions that can figure out the current mood of your employees - are they happy? sad? Angry? Frustrated? Pose a danger to organization? The solution is called User and Entity Behavior Analytics.




Saturday, May 26, 2018

Fancy Bear returns


The hackers responsible for Democratic National Convention (DNC) hack in 2016 are back in the news again. On May 23rd - Cisco announced a major breach of over 500,000 routers and network storage devices. FBI acted swiftly and seized the internet domain that was used in the attack, cutting off the communication between the hackers and the infected devices. For now, the hackers will not be able to exploit these half a million devices for their malicious intentions but the malware still resides in all these devices. The infected devices are spread over 50 countries and the most likely author of this Malware is Fancy Bear - the hackers behind the 2016 DNC hack.

Researchers found VPNFilter source code on these infected devices - the malware that was used by Russia to attack Ukraine including the massive power outage. VPNFilter is hard to detect, works in Stealth mode and is known to steal critical data from Infrastructure systems.

As an immediate next step - it is advised to reboot the devices, change the passwords, do not use default passwords and disable remote admin on all internet facing devices. Legacy security systems depend on static policies and rules for their providing security, In an ever changing threat landscape of current times - there is a need for RAP - Risk Adaptive Protection, which will understand the behavior of people and adversaries to dynamically change policies and rules to provide better security.



Thursday, May 3, 2018

Forcepoint helping its customers build a secured data environment

My interview with VAR India
By VARINDIA    2018-04-23


Calling for a shift in the way cyber security is approached, Ajay Dubey, National Manager - Partners & Alliances – Forcepoint tells VAINDIA of how as a security focused company, Forcepoint is trying to address the challenges that crop up while securing its customers and their critical data - 
 
How is your organization geared up with security strategies for the industry at large?
Cyber security as a domain is going through a constant churn to help organisations stay focused on protecting against breaches, protecting critical business data at all times and complying with regulations. This is the reason, over the years, cyber security budgets have increased multi-fold, making it a huge industry. But, despite all these investments, the cyber security attacks have only increased. 

This calls for a complete shift in the way cyber security is approached. If you look at threats and technologies, they continue to evolve, but one thing that has remained constant throughout is people. This is what Forcepoint is doing, it is rethinking security from a human-centric approach. The approach emphasizes understanding human behaviour and user interaction with critical data over networks of different trust levels to combat cyber-attacks. 

Can you highlight the solutions you are offering for addressing the growing challenge of cyber security?
At Forcepoint, we have unique cyber security solutions for protecting the data - 

•    Our CASB (Cloud Access Security Broker) is designed to secure data on the cloud. CASB solutions address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control. We acquired Cloud Access Security Broker (CASB) firm Skyfence that has helped increase visibility, control and security as users interact with data wherever it resides, including within cloud applications.

•    Forcepoint’s UEBA (User and Entity Behaviour Analytics) helps organizations to baseline behaviour of users and also entities like endpoint servers or applications and then see if there are any deviations from normal baseline. We acquired Red Owl, a leader UEBA (User and Entity Behaviour Analytics) technology to better understand and manage human risk.

•    Forcepoint’s Web and Email Security Solutions protect users against multistage advanced threats that often exploit user’s data, which penetrate the organisation’s IT defences. 

•    Forcepoint NGFW (Next Generation Fire Wall) caters not only to network needs but also security needs of all the networks of our customers. With NGFW 6.4, network security admins can more clearly see and understand the rhythm of their people as they use network resources. 

•    Our data protection is integrated with DLP (Data Loss Protection) solution and now we have augmented our DLP with insider threat and UEBA (User Entity Behaviour Analytics) solution that understands the context and intent of user behaviour and dynamically applies enforcement policies to activity representing the highest risk.

How are you seeing the security trend to continue in 2018? 
The biggest security trend in 2018 will be EU’s GDPR regulation which will have a considerable impact on nations that control or process data of EU citizens. With the regulation of GDPR coming into action in May 2018, the focus should now shift towards three areas like the adoption of the prescribed nature of controls in the regulation in specific areas, improvement of the existing privacy structure to work according to the requirements of the regulation and reassessing the opportunity of processing in the context of GDPR. 

The second massive trend that’s being observed is the adoption of cloud. Even highly regulated industries like banks have started to adopt cloud on a big scale but the problem with cloud is that it opens up everything and it does not restrict the access anymore.  

Additionally, the IT security solutions are unable to understand behaviour of malicious, accidental or compromised users in spite of the technology investments. Therefore, cyber security must move from a technology-centric view to one that understands human behaviour and intent and employ a security system that can effectively do the same.

With new wave of security intelligence and its intensification, what are your prospect marketing plans?
Forcepoint’s unique brand strategy of focusing on cyber behaviours instead of emphasizing just on technology to protect a perimeter that no longer exists has helped customers in building a data secured environment. This approach requires both intelligent systems and transparent collaboration between an organization’s stakeholders. 

Our brand’s theme of protecting organisations against accidental, compromised or malicious users to protect against data thefts reflect the shift in the current security paradigm, which is largely technology-oriented, to focus on people as they interact with critical business data and intellectual property. 

How are you going to leverage your market strategy to further boost your presence in the country?

Our approach is to help our customers increase their security effectiveness while lowering risks as they accelerate digital transformation of their business. We continue to engage with companies across the entire ecosystem including Banking and Finance, IT and ITeS, Manufacturing, Government, Pharmaceutical, Insurance and many more to help them understand the need to protect critical data and importance of providing their employees access to the right data whenever and wherever it’s needed. 

Friday, April 6, 2018

The World This Week - April 1, 2018


The World This Week.

Truth is sometimes stranger than fiction. But for the whistle blower - It would have been impossible to believe that a company like Facebook would have allowed itself to be used by such spurious app developers.

In a nutshell – A company called Cambridge Analytica paid nearly $1M to Cambridge psychologist Aleksandr Kogan to create an app called ‘thisisyourdigitallife’. The intent of the app was to collect Facebook user profile data and pages liked in the guise of an online personality quiz. The app was able to directly access 270,000 user’s data. Here is the real catch – using this data the app developers were able to access data of 50M users – which they then misused to allegedly influence Donald Trump Victory in 2016. They apparently also influenced several other democracies including India, Argentina, Kenya, Nigeria, The Czech Republic and others.

There have been several data breaches in the recent past – Equifax, Yahoo, Deloitte, NSA, Indian telco giant – Reliance Jio and few more but there is none as damaging as this Facebook fiasco. Facebook itself seems to be under fire with the “#DeleteFacebook” hashtag trending, Mark Zuckerberg has formally apologized but his troubles are far from over. Many governments will be under pressure – political parties will have to answer a lot of questions. You and me – public at large are the helpless victims – what more this borrowed phrase summarizes this point – “If you’re Not Paying for It; you’re the Product”.

Among other major whistle blower new grabbers were the leak of CBSE board exam papers in India and possible fraud / conflict of interest at board room level of India’s ICICI bank.

Yet another data leak - US based Orbitz – a subsidiary of Expedia – has suffered a leak 880,000 credit card numbers putting that many people in risk.

So here’s what we can start doing differently from tomorrow. Be alert and vigilant on what you share on social media, when creating online account – avoid using Facebook to login or authenticate yourself. Don’t believe everything that you see in the social Media – especially WhatsApp. Think before you forward.

Business are equally vulnerable if not more to data thefts. Among the few options that companies have – the prominent one is to safeguard and have controls over PPT – People, Process and Technology. Like they say – never try to make a Matchbox at home – it will not only cost more – it will be a far from a perfect product – Cyber security is similar – In-house is fine for certain areas but for most of the other areas outside help is always better. It will not only cost lesser dollars – it is sure shot to work.

Thursday, March 22, 2018

iNews - Around The World This Week


1)     Cyber security, AI top technologies for healthcare firms - Cyber security (77 per cent), Big Data analytics (72 per cent) and AI (59 per cent) are the three digital technologies most utilized by healthcare firms currently," Infosys said in its report titled "Digital Outlook for Healthcare and Life Sciences Industry. According to the report, nearly 76 per cent of the life sciences firms that were surveyed considered investing in cyber security over the next three years for protecting patient data.

2)     Powerful APT Malware “Slingshot” Performs Highly Sophisticated Cyber Attack to Compromise Router - Slingshot is one of the powerful cyber threat actor that mainly targeting individuals and organization and the major victims belong to Africa and the Middle East. Slingshot  attacked 100 of victims who is located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania

3)     Endpoint and Mobile Top Security Spending at 57% of Businesses - Businesses say data-at-rest security tools are most effective at preventing breaches, but spend most of their budgets securing endpoint and mobile devices. There is a disconnect between businesses' ideal security practices and their actual strategies. Some 77% of companies cite data-at-rest security tools as the most effective for preventing breaches but fall toward the bottom (40%) of security spending priorities, new data shows.

4)     Frost Bank Says Data Breach Exposed Check Images - According to the company, it discovered last week that a third-party lockbox software program had been compromised, resulting in unauthorized users being able to view and copy images of checks stored electronically in the image archive. Frost Bank systems weren’t impacted in the incident, Frost says. The information that was accessed as part of the incident could be used to forge checks, the company says.

5)     Walmart Jewelry Partner Exposes Millions in Latest Cloud Storage Misconfig - The Chicago, Illnois-based jewelry company, which operated under the name Limogés Jewelry, left names, addresses, ZIP codes, phone numbers, email addresses, IP addresses and passwords publicly available in an AWS S3 bucket – data that can be used to carry out targeted fraud or phishing attempts.

6)     Dragonfly Compromises Core Router to Attack Critical Infrastructure - Dragonfly, the threat actor that was recently called out by the United States as an arm of the Russian government, has been observed using a compromised core router as one of its primary tools in attacks against government agencies and critical infrastructure in Western Europe. “This is a discovery whose significance far outweighs its size, given that core router compromises are considerably harder to detect, analyze, patch, and remediate than compromises of PCs,” Cylance researchers said.

7)     Cybersecurity Incident Response Still Major Issue - Over 75% of respondents across the globe admitted that they do not have a formal cybersecurity incident response plan in place across their organization. However, nearly three-quarters (72%) of organizations report feeling more cyber-resilient today than last year and feel confident about their skilled personnel. This confidence may be misplaced, with the analysis revealing that 57% of respondents said the time to resolve an incident has increased, while 65% reported the severity of the attacks has increased.

8)     Chinese APT Takes Aim at Pharma - A Chinese advanced persistent threat (APT) actor has been spotted using the infamous PlugX malware to target pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information. A remote access Traojan (RAT), allows attackers to perform various malicious operations on a system without the user’s permission or authorization, including copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity.

9)     Twitter Users Bilked out of Big Money by Elon Musk Clones - Twitter users are collectively being conned out of tens of thousands of dollars per day via fraud schemes involving accounts impersonating celebrities, including Elon Musk and Vitalik Buterin, the man behind the Ethereum cryptocurrency. The scam tweets ask for a small sum to be sent to an account, promising victims that they will receive much larger amounts back in a classic chain-letter gambit. An analysis of the Ethereum blockchain showed that the tactic is working, with thousands of dollars being sent to the bad actors. The fake accounts have struck hundreds of times over the last two months, with the most successful taking away over $70,000 per day.

10)  Nearly 90% of Firms Will Use Biometrics by 2020 - The vast majority of organizations will use biometric authentication technology by 2020, but concerns over vendor transparency persist. 62% use it already in some form, while an additional 24% will do so in the next two years. However, although most believe it to be a more secure alternative to static passwords, PINs and personal security questions, just 10% claimed biometrics are secure enough to be used as the only form of authentication.

Monday, February 5, 2018

iNews - Around The World This Week

1)     3 Ways Hackers Steal Your Company's Mobile Data - The most effective data exfiltration prevention strategies are those that are as rigorous in vetting traffic entering the network as they are traffic leaving it. It's the unfortunate reality of the cybersecurity threat landscape today that malicious actors are advancing their tactics at a breakneck pace, finding new vulnerabilities in network defenses to execute attacks faster than IT teams can keep up.

2)     ANZ Bank suffers 10-hour internet banking outage - ANZ Bank suffered a major outage of its internet banking service with users reporting problems for much of Monday. The outage appears to have started just after 10am Sydney time and was not resolved until just before 8pm - resulting in 10 hours of downtime. Earlier, users took to social media to complain about the issues, which the bank said on its Twitter account were “intermittent” and the IT team was working to fix “as a matter of priority”.

3)     Cyberattacks on Israeli banks rose in last six months - Israel's banking regulator warned banks and their customers on Sunday to be more vigilant against cyber criminals following a rise in hacking attempts in recent months. "In the last half year, we have seen an increase in attempts at fraud via phishing, aimed at banking system customers with the intent to steal funds from their accounts," the central bank said, adding that the attacker initially tries to steal the customer's login and other personal details aimed at transferring funds between accounts.

4)     Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit - 2017 was the year of high profile data breaches and ransomware attacks, but from the beginning of this year, we are noticing a faster-paced shift in the cyber threat landscape, as cryptocurrency-related malware is becoming a popular and profitable choice of cyber criminals. According to the Proofpoint researchers, cybercriminals are using at least 25 machines to scan the internet to find vulnerable Windows computers.

5)     Cyberattack Impersonates FBI Internet Crime Complaint Center - A new cyberattack scams people into providing personal data and downloading malicious files by impersonating the Internet Crime Complaint Center, a division of the FBI intended to give the public a reliable means of reporting suspected illegal activity online. Threat actors trick victims into sharing personal information with fake IC3 messages laced with malware.

6)     APIs Pose 'Mushrooming' Security Risk - As APIs grow in prominence, top security concerns include bots and authentication. The application economy has now become the API economy. And as the importance of application programming interfaces (APIs) grows within the enterprise, organizations must keep their security top-of-mind, lest they put the entire software stack at risk as APIs deployed without security measures expose organizations to yet another class of attack vectors.

7)     3 Simple Steps to Securing Your ICS Systems against Digital Threats - We live in a world where connectivity is key. It’s brought conveniences to our personal lives, and organizations are adopting it into the industrial world to boost productivity. Industrial control systems (ICS), which manage utilities like water, gas, and electricity, are one such example of this ongoing trend. Organizations are putting ICS systems online so that jobs once carried out manually can now be carried out remotely or with the help of automation. ICS systems are a key target for cybercriminals. Security should therefore be a priority; given the importance of ICS, one would assume these systems would be running the most secure technology available. This is not the case. Much of the equipment is at risk of aging out, that is, requiring replacement or upgrade with very little security.

8)     Infrastructure-Based Security Vulnerabilities Put Your Business in Peril - With dozens of breaches and millions left violated, 2017 has witnessed a historic amount of hacking. This year has been stained with numerous hacking incidents, including WannaCry, Petya and Cloudbleed. Of these many cases, the Equifax data breach can be crowned the most significant hack of the year, having exposed the personal data of nearly 148 million people.

9)     How to Utilize the Cloud to Mitigate Cybersecurity Risks to Security Hardware - Today, cybersecurity is on all our minds. Every other day, we get news of another cyberattack. As more organizations struggle to keep up with the onslaught of these new threats, many are asking: “What can we do to strengthen our cybersecurity posture?” When we want to quantify it, consider the concept of risk. In its simplest form, the risk associated with a system is the impact of it malfunctioning, multiplied by the likelihood that a malfunction will occur.

Can We Be Smarter Than The Smart Cities We’re Building? - Imagine a world where everything is connected. All information and communication technologies are integrated into a single, consolidated platform. With the rapid increase in smart city capabilities, this idea may soon become our reality. The smart cities vision is to seamlessly integrate information and communication technologies with the internet of things (IoT) to increase efficiency, reduce costs, and enhance communications between networks. The end goal is to enable cities to leverage their IoT devices to create a more cohesive and connected environment. As more locations embark on adopting the smart city vision, reliance on data accuracy and speed of transmission will continue to grow, allowing all infrastructures to be connected through a single network.

Monday, January 22, 2018

iNews - Around The World This Week

1)     Understanding Supply Chain Cyber Attacks - Today's cybersecurity landscape has changed dramatically due to digitalization and interconnectivity. While the benefits of each push businesses toward adoption, security risks associated with interconnectivity between networks and systems raise major concerns. Everything-as-a-service removes traditional security borders and opens the door to new cyber-attacks that organizations might not be prepared to recognize or even deal with.

2)     Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT - Industrial control systems giant Schneider Electric discovered a zero-day privilege-escalation vulnerability in its Triconex Tricon safety-controller firmware which helped allow sophisticated hackers to wrest control of the emergency shutdown system in a targeted attack on one of its customers. Once the malware was inside the controller, it injected the RAT into memory by exploiting a zero-day vulnerability in the firmware, and escalating its privileges.

3)     Ransomware: Why the crooks are ditching bitcoin and where they are going next - The popularity of bitcoin is creating problems for criminals dealing in ransomware -- and some are already casting their gaze towards a less volatile cryptocurrency. While bitcoin has suddenly found itself in the public eye thanks to its rocketing -- and, more recently, plummeting -- value, it hasn't appeared from nowhere. We'll see a progressive shift in 2018 towards criminal use of cryptocurrencies other than bitcoin, making it generally more challenging for law enforcement to counter.

4)     Where to Find Security Holes in Serverless Architecture - Application security is getting a twist with the rise of serverless architectures, which introduce a new way of developing and managing applications - and a new wave of related security risks. Businesses are looking to serverless architectures to drive simplicity and reduce cost. Applications built on these platforms scale as cloud workloads grow, so developers can focus on product functionality without worrying about the operating system, application server, or software runtime environment.

5)     49% Indian companies not likely to secure sensitive data in cloud - While an overwhelming majority of global firms have adopted cloud services, there is still a wide gap in the level of security precautions applied by them, a survey has revealed. Almost half of Indian organizations say they are not likely to secure sensitive data in the cloud. Globally, organizations said only two-fifths of the data stored in the cloud is secured with encryption and key management solutions.

6)     Man pleads guilty to launching DDoS attacks against former employers - A man from New Mexico has admitted to launching distributed denial-of-service (DDoS) attacks against former employers, as well as possessing a firearm illegally. On Wednesday, the US Department of Justice (DoJ) said John Kelsey Gammell has pleaded guilty in a St. Paul, Minnesota court to directing DDoS attacks against former employers, business competitors, companies that refused to hire him and websites for law enforcement and courts, among others. Gammell not only set up the DDoS attacks, which launch traffic in such volumes that online services are disrupted, on his own computers but also paid DDoS-for-hire services to hammer victims further.

7)     Oman's stock exchange was easily hackable for months - The security flaw made the securities market an easy target and was only fixed after a security researcher sent more than half-a-dozen warning emails. A core router for Oman's stock exchange, the Muscat Securities Market, had both its username and password as "admin" for months, even after several attempts by a security researcher to warn the exchange of the security implications.

8)     Uber ignores security bug that makes its two-factor authentication useless - Uber has ignored a security bug that can allow an attacker to hack into user accounts by bypassing two-factor authentication because the ride sharing company says the flaw "isn't a particularly severe" issue. Two-factor authentication (2FA) is a vital part of protecting online accounts. It adds a second layer of security on top of your username and password -- which can be stolen -- by sending a code by text message to your phone, for example, which only you would have access to.

9)     Behavioral biometrics missing from cybersecurity - Recently, there’s been an uptick in the adoption of the NIST Cybersecurity Framework, a set of guidelines aimed at helping organizations improve their overall cybersecurity process. In December 2017, NIST released the second draft of its framework. Among the updates were two critical additions to the Identity Management, Authentication and Access Control guidance. Rather than being shocked by each new data breach, ransomware attack or instance of fraud, companies are increasingly working to improve their cybersecurity posture, and not just internal information security professionals.

Up to 40K Affected in Credit Card Breach at OnePlus - Chinese smartphone manufacturer OnePlus has reported a credit card breach affecting up to 40,000 users at oneplus.net. Users who entered their credit card data on the website between mid-November 2017 and January 11, 2018 could be at risk. The malicious script has been eliminated, the infected server quarantined, and all relevant system structures reinforced. Users who paid using a saved credit card, the "Credit Card via PayPal" option, or PayPal should not be affected, OnePlus reports.


Wednesday, January 17, 2018

iNews - Around The World This Week

1)     Hospital pays $55,000 in bitcoin to hackers after 'SamSam' ransomware locks systems - A US hospital has reportedly paid hackers $55,000 (£39,900) to restore control over its computer systems after they were infected with a strain of ransomware known as 'SamSam'. Last Thursday (11 January), staff at Hancock Regional Hospital, Indiana, found their computers had been infected with malware, which was demanding bitcoin to regain access. As reported, the hack impacted emails and health records, but no patient data is believed stolen.

2)     Privacy: The Dark Side of the Internet of Things - Before letting an IoT device into your business or home, consider what data is being collected and where it is going. There's a lot of buzz about the Internet of Things (IoT), but people aren't quite sure what to think of it. Back in fall 2016, there was a big attack on an Internet service provider in which a bunch of IoT devices became a botnet and made much of the Internet unavailable. It was a big moment that made people question the security of IoT. And although security risks are getting the headlines right now, and should certainly be considered, the bigger risk with IoT is privacy.

3)     Hackers hijack Twitter account of India's top diplomat to post photos of Pakistan's flag - The verified Twitter account of India's top diplomat to the United Nations was briefly taken over by suspected Turkish hackers early on Sunday, 14 January, morning. The Turkish hacking group Ayyıldız Tim claimed responsibility for the attack and managed to take over the president of the World Economic Forum's account over the weekend as well.

4)     IT Security Spending to Reach $96 Billion in 2018 - Worldwide IT security spending is expected to climb 8% next year to $96.3 billion, fueled by investments in identity access management and security services – two areas on tap to rise faster than the overall spending growth rate, according to a Gartner report released this week. Identity access management and security services to drive worldwide spending growth.

5)     The state of Israel’s cybersecurity market - The Equifax breach, WannaCry, NotPetya, the NSA leak, and many more cyber incidents – 2017 was certainly a busy year for hackers, illustrating yet again just how vital innovative cybersecurity solutions are in the fight against cyber threats. Second only to the U.S., in terms of cybersecurity investment 2017 was another excellent year for Israeli cybersecurity startups, with dozens of companies being formed, breaking fundraising records and producing solid exits. The 2017 data also suggest that the Israeli cybersecurity industry is maturing, as we see a shift in funding towards later stage companies.

6)     Top think tank warns cyberattacks could lead to 'inadvertent nuclear launches' - A new report from the Chatham House think tank has warned that cybersecurity vulnerabilities could lead to accidental nuclear war if countries carrying the hugely destructive warheads do not introduce new measures. While cybersecurity is a prevalent issue many sectors of society now have to consider, nuclear weapons systems were developed during a technological era when " little consideration was given to potential malicious cyber vulnerabilities", the report states.

7)     What is FakeBank? New banking malware can intercept SMS messages to steal sensitive data and funds – Security researchers have discovered a mobile malware strain that can intercept users' sensitive SMS messages to steal their banking details and funds, phone numbers, balance on a linked bank card and location data. According to Trend Micro researchers, the malware dubbed "FakeBank" has been spotted in several SMS/MMS management software apps and primarily targets victims in Russia and other Russian-speaking countries.

8)     Watch out for this Netflix phishing scam that will steal your credit card details - Netflix users are being warned to avoid clicking on any suspicious email links after a phishing scam was uncovered, which security experts say is designed to steal credit card details. Found by Australian cybersecurity firm MailGuard, and shared on Twitter by the New South Wales police, the fake emails use convincing social engineering tactics – including the official Netflix website layout – in an attempt to dupe recipients into entering financial details.


9)     Hyper-Converged Infrastructure To Accelerate IT Transformation - Technology is fast becoming the key pillar for organizations to stay competitive, spur innovations, and seize new growth opportunities. Despite increasing IT budgets, the traditional three-tier architecture, is proving to be a hindrance to meeting the rising business and market demands due to its inbuilt complexities. Apart from that, the stress to reduce operational costs and improve productivity is also forcing technology teams to explore alternative means to bring down complexity and costs through the adoption of agile architectures.

Blockchain Technology Goes Beyond Cryptocurrency - Cryptocurrency, the digital currency system that enables global monetary transactions between two parties without the need for a trusted third party financial institution, has gained tremendous momentum over the last few years. Bitcoin, the first cryptocurrency, came into existence in January 2009. Its inventor, Satoshi Nakamoto (an anonymous person or a group) published a whitepaper prior to this in October, 2008. Since then, numerous cryptocurrencies have come into existence. More recently, bitcoin has gained mainstream attention. Under the hood, the technological innovation is the blockchain that is seen as revolutionary foundational technology having a tremendous potential across different verticals.

Thursday, January 11, 2018

Making GDPR a priority for the year 2018

“ You can resist an invading army; you cannot resist an idea whose time has come,” once said Victor Hugo wisely.

Today, in India, that idea is privacy. To date, privacy has not put up much of a fight; that will change in 2018. After a couple of years of getting fringe interest, privacy has, quite quickly, hit a tipping point.
The advent of EU’s General Data Protection Regulation (GDPR), only adds to that movement. So, how is GDPR going to impact Indian organisations and what should you, the IT leaders, be doing to ensure that your organisation complies with GDPR regulations.
The EU General Data Protection Regulation (GDPR) becomes enforceable by law in May of 2018. It will require global organizations that hold the personal data of European Union residents to adhere to new requirements around control, processing and protection.
GDPR will have a far-reaching impact the digital economy
The GDPR probably won’t affect a large swathe of small and medium Indian businesses. But given the penalties (more on this later), that’s not a chance your business wants to take. Also, it is expected that many countries will follow the EU in terms of updating their regulations to match this new standard for data protection.
If not already, it is time to know if your company has or processes any data of a European company or a European citizen. Remember, the citizen doesn’t have to be residing in a country that’s part of the EU—just that she is a citizen. (Which countries are part of the EU?)
Given, the GDPR comes into force in May of 2018, it leaves Indian companies who haven’t started preparing only about two quarters to do so.
Preparing for GDPR is critical
Delaying preparation for GDPR isn’t the best approach. Procrastinating isn’t going to make the GDPR go away!
Like any law, the worst case only applies if your company has suffered a data breach and is challenged by a European company or citizen--and you can’t prove you have complied with the GDPR.
Any personal data breach impacting a European Union resident will need to be reported within 72 hours. Companies that do not comply will face fines of up to 20 million Euros or 4 percent of global turnover, whichever is higher. Infringements of a more technical nature call for penalties that amount to 2% of annual global revenue, or €10 million.  Those who have not budgeted for the long-term implications of the GDPR will struggle.
Complying with GDPRs Conditions
Our own research shows that complying with erasure (the right of EU nationals to scrubbed clean off your servers and the servers of your partners) is what concerns businesses the most (51%).
That said, there a host of that need to be met; how difficult they are to comply with comes down to maturity of your company’s data practices.
Here’s a slightly long, yet an-easy-to-read, list of changes that the GDPR has brought about.
What Needs to Change?
Plenty. The way your company asks for consent and collects data, how that data is stored and processed, the way your data supply chain is constructed, who your company shares data with, the number of technology partners your company uses for data back-up and archiving, the cloud services it chooses—all of this, and more, needs to change.
The majority of businesses will be stunned by the regulation’s impact on their operations, as it creates security challenges that cannot be solved solely with technology.
Smart companies will see this not just through the compliance lens but as a feature of their security policy. Fundamentally, the GDPR changes the way we look at data security.
Data is important because it belongs to people or is important to people, hence the focus on privacy. GDPR will put humans back at the centre of security debate. And is another idea whose time has come.

Tuesday, January 9, 2018

iNews - Around The World This Week

1)     Breach of India's Biometric Database Puts 1 Billion Users at Risk – A breach of the Unique Identification Authority of India's Aadhaar biometric system is putting personally identifiable information (PII) of more than 1 billion Indian residents at risk, reports the Tribune, an Indian publication. Attackers created a gateway to the biometric database, in which any Aadhaar user's ID number can be entered into a portal, the Tribune reports. Once the number is entered, it will pull up the resident's name, address, postal code, photo, phone number, and email address, according to the Tribune.

2)     Google Apps Script vulnerability could lead SaaS apps to download malware – Google Apps Script is vulnerable to exploits that could allow malware to be delivered via URLs. Attackers could automatically download arbitrary malware hosted in Google Drive to a machine -- and the victim would have no idea it was happening. This type of attack is different from phishing and malware distribution via links to Google Drive URLs, which are fairly common. These normally involve sending a Microsoft Office doc, which is enabled to run macros when the user gives permission.

3)     Android malware targets bitcoin, bank apps, including SBI, HDFC, Axis Bank: Report - If you are using banking or cryptocurrency apps on your mobile phone, you need to read on. An Android Banking Trojan called Flash Player has affected over 232 banking apps, many of which are mobile apps of prominent Indian public as well as private banks. Android mobile phone users having third party app stores - an online app market to install apps, just like Google Play but not owned by Android OS or Google - run the risk of accidentally downloading this malware, putting confidential security details like netbanking customer id and password at risk. Links to download this can also come through spam emails or SMS.

4)     Enterprise machine learning will double and jump start business growth and adoption, Deloitte predicts – Machine learning will intensify amongst medium and large-sized enterprises, doubling the number of implementations and pilot projects using machine learning technology in 2018 compared to last year, and then doubling again by 2020. According to Deloitte’s Technology, Media and Telecommunications (TMT) Predictions, advancements in machine learning technology include data science automation and a reduced need for training data as well as new chips in both data centers and mobile devices. The advancements will help establish the foundation, which will over the near term make machine learning mainstream across industries where organizations have limited talent, infrastructure and data to train models.

5)     Payment system, network security under RBI radar - The Reserve Bank of India has again flagged cyber risks faced by banks and said it would continue to do surprise drills and inspections to ensure that they have systems in place to deal with any threats to payment systems and network security. While the assessment is factored in the overall risk profile of a bank under risk-based supervision, certain specific areas like payment systems and network security are proposed to be subjected to more intensive scrutiny during the year.

6)     Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers – Serious security flaws that could let attackers steal sensitive data, including passwords and banking information, have been found in processors designed by Intel, AMD and ARM. Everything from smartphones and PCs to cloud computing affected by major security flaw found in Intel and other processors – and fix could slow devices.

7)     Behavioral biometrics will replace passwords by 2022 – In just a few years, we can all safely forget those cumbersome passwords we use to secure and unlock our devices. And we will be able to thank on-device artificial intelligence (AI) for easing the strain on our memory. Smartphones will be an extension of the user, capable of recognizing them and predicting their next move. Gartner analysts believe on-device AI, as opposed to cloud-based AI, will mark a paradigm shift in digital security, and will do so sooner than most people think.

8)     SplashData reveals the worst passwords of 2017 and they're still astonishingly terribleAfter trawling through the more than five million passwords that have leaked over the past year, mostly in North America and Western Europe, the California-based company said any one of the passwords included in its list of 100 worst passwords of the year would put users at "grave risk" of identity theft. For the fourth year in a row, "123456" took the top spot as the worst password of the year followed by "password". Naturally, variations of these two such as extra digits or replacing the "o" with a "0" (zero) in "password" were also included in the list.

9)     The Future of Seamless Hybrid Clouds – In a world that appears to be dominated by clouds -- both public and private -- the underlying infrastructure that provides connectivity becomes largely invisible to users. Indeed, one of the major promises of cloud is that the pools of resources that power the cloud can reside anywhere, are elastically available, and are dynamically adjusted to accommodate the fluctuating needs of the applications they power. The cloud is already a fractured marketplace, a situation that will only get worse. As cloud becomes more mainstream for enterprises, they will each focus on the things that make themselves attractive. If we assume for a moment that each of them will have some success, the likelihood that enterprises end up putting all of their resources into a single cloud seems low.

Bitcoin price rise could lead to smart home attacks and higher bills, cyber security expert warns – People’s homes could come under attack as a consequence of bitcoin’s price surge, a cyber security expert has warned. “Cryptojacking” incidents, in which people’s devices are quietly hijacked and forced to mine digital currencies for other people, are on the rise. “Any device that is ‘smart’ now has the three key ingredients to provide the cyber bad guy with everything they need – internet access, power and processing.