Monthly Archives: July 2018

Organizations can reap huge rewards by switching to a DevOps software development model. Some enterprises don’t know how to make the change.

Of course, organizations aren’t finished once they’ve fully embraced DevOps. That’s because security is not an single act but an ongoing process.

Even with automated tools and protocols, companies need to keep looking into what they have, where the industry is and what changes they might need to make to their environments. They should base these modifications in part on new employees, systems and technology that join the enterprise overtime.

In other words, a secure environment necessitates the adoption of good security standards if new additions are to become secure and interoperable with existing assets.

A key component of a dynamic secure environment is receptivity to employees’ concerns. Personnel who feel they’re being heard can make organizations aware of budding security risks and provide insight into appropriate strategies. By contrast, workers who think they’re being neglected won’t be as loyal to the organization and will therefore be more resistant to change, including alterations which can help make an existing DevOps model more secure.

To capitalize on employees’ feedback, organizations need to make communication a significant culture change as they embrace DevOps. Here are three considerations they should keep in mind.

1. Creating Communication Channels

Organizations need to make sure there are communications channels in place. They can do this by investing in a feedback management solution. Alternatively, those responsible for managing the DevOps systems can simply make themselves more accessible to employees by keeping their doors open and actively inviting professionals in other departments to share their thoughts.

2. Responding to Feedback

Organizations would be doing themselves a disservice if they received employees’ feedback but did nothing with it. Such inaction can breed resentment and disloyalty not to mention overlook areas where improvement is warranted. With that said, enterprises should articulate to employees that they are listening to their feedback and that they’ll do something about it. This level of transparency will improve the collaborative and communicative culture embodied by DevOps.

3. Acting on Concerns

All that remains is for organizations to act on the feedback. For instance, they can use the communication to measure and evaluate the impact of a change to the DevOps model in order to improve their culture, environment and productivity. Doing so can help them spot issues within teams, systems and processes that could have a great impact on the organization.

For more information about how communication factors into organizations’ transitions to a DevOps model, download Tripwire’s eBook Driving DevOps Security: Scalable Cybersecurity Best Practices for Scalable Teams.

Also, Tripwire is hosting a special webcast on August 21 titled, “Leading a DevOps Transformation“.

Join us and guest precentor’s to learn how to help your organization achieve higher levels of performance whilst ensuring security is a continuous aspect of the process.

You can register here or click on the image below!

via:  tripwire

In the first decision (available in German only) applying the General Data Protection Regulation (GDPR), a German court held that data collection that exceeds what is necessary to achieve legitimate business purposes violates one of the basic tenets of the GDPR. Article 5 of the GDPR states that personal data collection shall be “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,” and “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The case concerns ICANN, an American non-profit company that oversees the global WHOIS database of registered domain names, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

ICANN filed suit in Germany seeking an injunction to compel EPAG to collect the technical and administration contact information. ICANN argued that contact information was necessary to address problems that could arise in connection with the domain name registration. Rejecting ICANN’s request, the Regional Court of Bonn held that collecting data on technical and administrative contacts would violate the data minimization rule. In support of its finding, the court noted that registrants had not previously been required to provide technical and administrative contact details, and ICANN failed to provide adequate evidence that such data collection was necessary.

ICANN has appealed the Bonn court’s decision to the Higher Regional Court of Cologne, Germany. The challenges to privacy practices of Google and Facebook filed when the GDPR became effective in May are still wending their way through the system, but this case illustrates that both for-profit and not-for-profit organizations must take care to consider GDPR obligations. This first GDPR decision is a reminder that businesses should assess and document why the personal data they collect and process is necessary for a specific, legitimate purpose, and ensure that the information is limited to what is required to achieve that purpose.

via:  natlawreview

The survey indicates that cybersecurity remains a source of deep concern for organizations.

Despite 95 percent of CIOs expecting an increase in cyberthreats over the next three years, only 65 percent currently have a cybersecurity expert, according to a survey by Gartner Inc.

It also reveals that skills challenges continue to plague organizations that undergo digitization, with digital security staffing shortages considered a top inhibitor to innovation.

The company gathered data from 3,160 CIO respondents in 98 countries and across major industries representing approximately $13 trillion in revenue/ public sector budgets and $277 billion in IT spending.

Many cybercriminals not only operate in ways that organizations struggle to anticipate but also demonstrate a readiness to adapt to changing environments according to Rob McMillan, Research Director at Gartner.

“In a twisted way, many cybercriminals are digital pioneers, finding ways to leverage big data and web-scale techniques to stage attacks and steal data. CIOs can’t protect their organizations from everything, so they need to create a sustainable set of controls that balance their need to protect their business with their need to run it,” he said.

About 35 percent of survey respondents indicate their organization has already invested in and developed some aspect of digital security, while an additional 36 percent are actively experimenting or planning to implement in the short term. Gartner predicts that 60 percent of security budgets will be in support of detection and response capabilities by 2020.

“Taking a risk-based approach is imperative to set a target level of cybersecurity readiness. Raising budgets alone doesn’t create an improved risk posture. Security improvements must be prioritized by business outcomes to ensure the right amount is spent on the right things.” he said.

According to the survey, many CIOs consider growth and market share as the top-ranked business priority for 2018. Growth often means more diverse supplier networks, funding models, patterns of technology investing as well as different products, services and channels to support.

“The bad news is that cybersecurity threats will affect more enterprises in more diverse ways that are difficult to anticipate. While the expectation of a more dangerous environment is hardly news to the informed CIO, these growth factors will introduce new attack vectors and new risks that they are not accustomed to addressing,” said McMillan.

The survey also says that 93 percent of CIOs at top-performing organizations say that digital business has enabled them to lead IT organizations that are adaptable and open to change.

“Cybersecurity is faced with a well-documented skills shortage which is considered a top inhibitor to innovation. Finding talented, driven people to handle the organization’s cybersecurity responsibilities in an endless function,” he said.

via:  moneycontrol

Two United States Senators asked the Federal Trade Commission (FTC) to investigate the privacy policies and practices of smart TV manufacturers.

In mid-July, Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) submitted a letter to Joseph Simons, Chairman of the FTC, asking him to open an investigation.

To support their argument for an FTC review, the Senators cited a New York Times article that discusses Samba TV, a content recommendation platform which didn’t make its privacy policy for users as accessible and readable as some analysts feel it could have been.

As the Senators noted in their letter:

Many internet-connected smart TVs are equipped with sophisticated technologies that can track the content users are watching and then use that information to tailor and deliver targeted advertisements to consumers. By identifying the broadcast and cable shows, video games, over-the-top content like Netflix, and other applications that users are viewing, smart TVs can compile detailed profiles about users’ preferences and characteristics. Recent reports even suggest that smart TVs can identify users’ political affiliations based on whether they watch conservative or liberal media outlets.

The two Congressmen also referenced Vizio’s agreement to pay $2.2 million to settle complaints that the smart TV maker collected data on viewing habits from 11 million TVs without consumers’ knowledge or consent.

Included in their letter is a clarification that Congress has previously required companies to be more transparent about their data practices with respect to TV viewers. The Senators explained how Congress in 1984 acted to require that cable operators detail their data practices. They said the legislative branch of the federal government did the same with satellite carriers some two decades later.

Senators Markey and Blumenthal ended their letter with an appeal to the ongoing protection of users’ personal data, noting that “users should be given the opportunity to affirmatively consent to the collection and use of their sensitive information, while still having access to the core functions of smart TV technology.”

As of this writing, it’s unclear whether Simons received the letter and how he intends to respond if he has.

via:  tripwire

The “security by minority” stance should come crashing down as cross-compiling makes multiplatform malware development easier.

One of the oft-repeated reasons for using alternative operating systems is the suggestion that alternatives to Windows are more secure because malware is not produced for these minority systems—in effect, an argument in favor of security by minority. For a variety of reasons, this is a misguided notion. The proliferation of web-based attacks—which are inherently cross-platform, as they depend on browsers more than the underlying OS the browser runs on—makes this argument rather toothless.

In the more narrow view of actual executables, Java-based malware such as McRAThas proliferated in the past, though as Java on the desktop is practically unheard of on consumer computers in 2018. Likewise, with enterprises moving away from installing Java SE on workstations, the viability of that approach has dwindled. However, Google’s Golang—which supports cross compiling to run on multiple operating systems—is now being utilized by attackers to target Windows and Linux workstations.

According a report by JPCERT, the WellMess malware can operate on Windows via Portable Excutables and on Linux via ELF (Executable and Linkable Format). The malware gives a remote attacker the ability to execute arbitrary commands as well as upload and download files, or run PowerShell scripts to automate tasks. The commands are transferred to the infected device via RC6 encrypted HTTP POST requests, with the results of executed commands transmitted to the C&C server via cookies.

JPCERT has created a tool (available here) to decrypt the content of those cookies, to identify what is being transmitted to the C&C server.

WellMess has been found in (unnamed by the report) Japanese companies, though it is unclear if the attacks are targeted exclusively in Japan, or if groups or individuals outside Japan have been affected. The C&C servers controlling infected systems are located in Lithuania, The Netherlands, Sweden, Hong Kong, and China. JPCERT advises that attacks using this malware are ongoing.

While WellMess is far from the first malware to run on Linux systems, the perceived security of Linux distributions as not being a significant enough target for malware developers should no longer be considered the prevailing wisdom, as cross-compilation on Golang will ease malware development to an extent for attackers looking to target Linux desktop users. As with Windows and macOS, users of Linux on the desktop should install some type of antivirus software in order to protect against malware such as WellMess.

In terms of free and open source software, ClamAV is likely the best option. ClamAV is a product of Cisco’s Talos Intelligence team, and is available in the default package repositories of most major Linux distributions. It is, however, a command line tool, making a front-end such as ClamTk or ClamAV-GUI necessary.

The big takeaways for tech leaders:

• The WellMess malware can operate on WinPE and on Linux via ELF, giving a remote attacker the ability to execute arbitrary commands as well as upload and download files, or run PowerShell scripts to automate tasks.
• The use of Google’s Golang allows attackers to cross-compile malware for use on multiple platforms, making potential attacks on Linux more trivial to engineer.

via:  techrepublic

Microsoft opened up the news floodgates in the kick off to its annual Inspire event in Vegas. One of the more compelling announcements of the bunch is the addition of a free version of Teams.

The Slack competitor has been kicking around in some form or other since late-2016, but the $60 a year fee has likely made it a bit of a nonstarter for smaller businesses. After all, it’s Slack’s free tier that helped the work chat app gain so much traction so quickly. A free version makes a lot of sense for Microsoft.

Signing users up for Teams is way to get more feet into the door of its application ecosystem, which was once ubiquitous in offices. Once they’ve download teams, workplaces will be hooked into the Microsoft 365 suite.

The free tier actually brings a fair bit of the app to up to 300 people per workplace. Here’s the full rundown of features per Microsoft,

• Unlimited chat messages and search.
• Built-in audio and video calling for individuals, groups, and full team meetups.
  
• 10 GB of team file storage plus additional 2 GB per person for personal storage.
  
• Integrated, real-time content creation with Office Online apps, including built-in Word, Excel, PowerPoint, and OneNote.
  
• Unlimited app integrations with 140+ business apps to choose from—including Adobe, Evernote, and Trello.
  
• Ability to communicate and collaborate with anyone inside or outside your organization, backed by Microsoft’s secure, global infrastructure.

The company’s done a good job hooking in enterprise customers, but as it notes, SMBs constitute 90+ percent of businesses globally, so that’s a whole lot more devices to tap into. The free tier is available in 40 languages starting today.

via:  techcrunch

When one of the main selling points for your service is the ability to stream live sports, the last thing you want is a full-on service meltdown during a huge game.

Alas, that’s exactly what happened on Wednesday to YouTube TV. Just as the World Cup semi-finals game between Croatia and England started heating up, the service went dark.

As something of a mea culpa, YouTube has sent out an email to subscribers promising a free week of YouTube TV service. With most users paying ~$40 a month for the service, that works out to about $10 off their next bill. Curiously, user reports suggest the refund is going out to most, if not all, YouTube TV users — not just those who were watching (or, you know, trying to watch) the game in question.

Meanwhile, some users have noted that reaching out directly to customer service lead to them getting a full month for free — so if you’re still feeling a bit burned by the whole thing, that might be something worth pursuing.

If you’re a subscriber but aren’t seeing the notice, check your spam box — some users in this Reddit thread are mentioning finding the notice hiding in there, or tucked away in the “social” tab in Gmail’s split view.

via:  techcrunch

Fortnite Battle Royale has swept the gaming world. Alongside its 125 million users and record-breaking Twitch streams, the game has also drawn many competitive players away from their usual titles to try their hand at Battle Royale.

Today, that competitive play reaches at inflection point. At 4pm ET, Fortnite Battle Royale’s Summer Skirmish will kick off, with $8 million going to tournament winners over the course of the competition, with a whopping $250K going to the winners of today’s tournament.

This isn’t the first competitive Fortnite tournament we’ve seen. Celebrity Twitch streamer Ninja held a charity tournament in April, and Epic held a ProAm tournament combining competitive players and celebs who play Fortnite in June. Plus, sites like UMG and CMG have been holding smaller tournaments since Fortnite first rose to popularity. And then there are $20K Fortnite Friday tournaments for streamers held by UMG.

But today, the ante has most certainly been upped. This will be one of the highest paying Fortnite tournaments to date, and is yet just a small fraction of Epic Games’ promised $100 million prize pool for competitive play this year.

For some context, Dota 2 (previously the biggest competitive esports title out there) had a $25 million payout for the International Championship tournament in 2017, with the winners taking home $10.8 million. Call of Duty, one of the most popular titles over the last decade, is only paying out $1.5 million for its own Champs tournament this summer.

In other words, Fortnite is catching up quickly to the competitive gaming scene, not only in terms of talent but money. Epic Games’ Fortnite pulled in a record-breaking $318 million in June alone. In fact, Battle Royale is generating so much revenue for Epic that the company is now only taking a 12 percent share of earnings from its Unreal Marketplace.

But with that growth comes increased scrutiny. Though the company is passing along its fortunes to developers on the Unreal Engine and competitive players, some have noticed situations in which Epic might have been a bit stingy.

The stream for Fortnite Summer Skirmish begins at 4pm ET and is embedded below:

Watch live video from Fortnite on www.twitch.tv

via:  techcrunch

A weekend-long denial-of-service (DoS) attack which targeted Blizzard Entertainment causing severe lag for some players and preventing others from logging in at all, finally came to an end Monday morning.

The creators of Overwatch reported issues on its servers the day before and acknowledged that the attacks were affecting Overwatch as well as other games on its platforms. Heroes of the Storm and World of Warcraft were also plagued by the attacks.

“The DDOS attacks against network providers that we were monitoring have ended,” Blizzard tweeted while Overwatch developer Bill Warnecke also confirmed the server problems on Reddit stating his company is “aware of a major service issue now affecting all Blizzard titles,” and apologized for the hassle.

“Most services available on the Internet today are vulnerable to DDoS attacks and online gaming is no exception,” said Sean Newman, director of product management for Corero Network Security. “With the chance for gamers to often get an unfair advantage by blocking their adversaries from playing, the motivation for launching attacks against these platforms is high.” 

Newman added that the stakes can also be high for the providers that host the players of these games and, that the “only way to ensure resiliency, for what is often a soft target, is for the providers to deploy the latest generation of real-time, automatic DDoS protection.”

Although the attacks have ended for now the is no guarantee that another attack isn’t on the way as threat actors have targeted the platform with similar attacks in the past, although these attacks typically didn’t last as long.

via:  scmagazine

Senior businesses awareness of cybersecurity, legal and compliance issues and cloud-delivered products are some of the trends driving the industry, according to Gartner.

According to its Top Six Security and Risk Management Trends, Gartner said that “business leaders are becoming increasingly conscious of the impact cybersecurity can have on business outcomes” and encouraged security leaders to harness this increased support and take advantage of its six emerging trends “to improve their organization’s resilience while elevating their own standing.” The trends are as follows:

• Trend No. 1: Senior business executives are finally becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation
  
• Trend No. 2: Legal and regulatory mandates on data protection practices are impacting digital business plans and demanding increased emphasis on data liabilities
  
• Trend No. 3: Security products are rapidly exploiting cloud delivery to provide more-agile solutions
  
• Trend No. 4: Machine learning is providing value in simple tasks and elevating suspicious events for human analysis
  
• Trend No. 5: Security buying decisions are increasingly based on geopolitical factors along with traditional buying considerations
  
• Trend No. 6: Dangerous concentrations of digital power are driving decentralization efforts at several levels in the ecosystem

In regard to cloud computing, which Gartner said is affected by trends 3 and 6, “new detections technologies, activities and authentication models require vast amounts of data that can quickly overwhelm current on-premises security solutions” and this is driving a rapid shift toward cloud-delivered security products which “are more capable of using the data in near real time to provide more-agile and adaptive solutions.”

Also with regards to emerging trends, Gartner predicted that “by 2025, machine learning will be a normal part of security solutions and will offset ever-increasing skills and staffing shortages” as well as offering solutions to multiple security issues, such as adaptive authentication, insider threats, malware and advanced attackers.

Peter Firstbrook, research vice-president at Gartner, said: “Look at how machine learning can address narrow and well-defined problem sets, such as classifying executable files, and be careful not to be suckered by hype.

“Unless a vendor can explain in clear terms how its machine learning implementation enables its product to outperform competitors or previous approaches, it’s very difficult to unpack marketing from good machine learning.”

via:  infosecurity-magazine