[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* Cisco Systems : Software products or application platforms, do I have to choose?
* Russia’s Swift Alternative Looks Tempting After Hackers Steal Millions
* Experian : Data Breach Resolution and Ponemon Institute study reveals organizations are not doing enough to prevent employee-caused security incidents
* What is the right DDoS protection cloud service for your organization?
* Swift CEO to Say More Banks May Have Been Breached by Hackers
* Encryption is the foundation of the new data center
* 46% of German companies get external IT security services
* SWIFT Promises Security Overhaul, Fraud Detection
* Anonymised database will make UK number one for cyber insurance: ABI
* Liability of Cloud-Based Service Provider For Data Breach
* House Lawmakers Turn Up Heat on FDIC Over Cybersecurity
* OWASP set to address API security risks
Cisco Systems : Software products or application platforms, do I have to choose?
This is the final post in a series that has been focused on providing different ways to think about the job of a modern day software technology architect.
The series began with the idea of defining an architecture that blends physical and digital worlds, taking more of an omni-channel approach.
The next post expanded on this idea by discussing the era of the Platform Economy and the platform ecosystem.
It is here that the idea of three architectural patterns (orchestration, interaction and acquisition) was introduced.
Some resources were provided that highlight some starting points into understanding more about platform architecture thinking.
One of the more interesting elements presented was a comment by Marshall Van Alstyne (research professor MIT) during a MIT panel discussion, ‘products have features and platforms have communities.’ A second provocative comment in this panel discussion worth exploring is the perspective that, platforms beat products every time.
For me this led to a question, ‘is that true and if not, how do I choose and do I have to choose?’ In general, I do believe platforms beat products, and that platforms will begin to have a larger footprint in most company’s architecture landscape…in the right context, for the right purpose to achieve flexible, yet targeted outcomes.
it is very easy to get over zealous and think that this lays the ground work for an ‘either/or’ debate, similar to a make versus buy discussion.
An either/or approach to software is dangerous and incorrect thinking.
Most business environments require both, at least for the foreseeable future.
Thus, the key is to know why to choose which technology based on the desired outcomes and culture of the organization.
Potentially the most important selection criteria is to understand the mix of skills that exist and can be acquired at a cost the organization is willing to invest.
The benefit of traditional application software programs is that there is a broad availability of skills, training programs and experience to mitigate the risk of selecting the right technology.
The benefit of application platforms is the ability to adapt more readily to technology changes and avoid locking into a single vendor for extended periods of time that become painful to change.
In the end, the real decision is what culture does the organization have and what investment is the organization willing to make for the desired end state?
Determine if you are solving a distinct business problem versus solving a broader enterprise problem.
Many enterprises are focused on scale that has been tested, which is different than being able to scale.
While skills may be the most important decision criteria, time will most likely determine the final decision.
To really begin appreciating the power of software platforms versus products, I recommend spending time gaining hands on experience with multiple platforms such as those mentioned earlier.
After that experience, see you agree or disagree with my position of the power and eventuality on platforms taking a greater percentage of enterprise mindshare and architecture footprint.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d65f343685&e=20056c7556
Russia’s Swift Alternative Looks Tempting After Hackers Steal Millions
The Society for Worldwide Interbank Financial Telecommunication (Swift) has been engulfed by a wave of cyber attacks where criminals have been able to steal tens of millions of dollars from banks in Bangladesh, Ecuador and Vietnam.
Swift, a global member-owned cooperative, based in Belgium, also stated that its services, network, and software were not compromised.
It stated that steps were being taken, along with specific measures to reduce cyber attacks.
The network service explained that from now on it would notify customers immediately of any known cases of malware, and that it would share best practices to improve security.
The incidents have highlighted the fact that the banking network may not be as secure as it was once thought to be.
Russia proposed an alternative to Swift last year as part of an effort among BRIC nations to create a transfer service that provides better security and is free of disruption.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=81cdfa16d4&e=20056c7556
Experian : Data Breach Resolution and Ponemon Institute study reveals organizations are not doing enough to prevent employee-caused security incidents
COSTA MESA, Calif., May 23, 2016 /PRNewswire/ — Experian Data Breach Resolution and Ponemon Institute today released an industry study revealing that while employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior.
The study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences of poor security conduct and the effectiveness of training.
The study found that more than half (55 percent) of companies surveyed have already experienced a security incident due to a malicious or negligent employee.
However, despite investment in employee training and other efforts to reduce careless behavior in the handling of sensitive and confidential information, the majority of companies do not believe that their employees are knowledgeable about the company’s security risks.
Alarmingly, concern around the issue of employee security risks is not necessarily making companies any more effective at addressing it.
Sixty percent of companies surveyed believe that their employees are not knowledgeable or have no knowledge of the company’s security risks.
Additionally, the study showed a lack of concern by C-suite executives.
Only 35 percent of respondents say senior management believes it is a priority that employees are knowledgeable about how data security risks affect their organization.
This illustrates a clear gap between companies’ awareness of the issues caused by employee negligence and their actions.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6930c74b2a&e=20056c7556
What is the right DDoS protection cloud service for your organization?
A list of top DDoS protection cloud services given in random order can include F5 Silverline, Arbor Networks’ Arbor Cloud, CloudFlare’s advanced DDoS protection, VeriSign DDoS Protection Service, Imperva Incapsula, Akamai Kona Site Defender, Cisco Guard, and Level3 DDoS Mitigation.
There are many more such services; this list includes the best, depending on who you talk to.
Here are four tips to know when preparing to select a DDoS protection cloud service.
Tip No.1: Know Your Risk Profile.
Determining what DDoS protection cloud service is best for your business starts with knowing the risk profile of your organization, since you will have to marry a suitable service to that profile.
ISACA offers information about what to include in a risk profile.
Tip No.2: Know the protections/coverage you need.
Once you have established what the weight of these pain points would be on your organization in and after an active attack, you need to establish what kinds of protections are necessary.
Tip No.3: Know providers’ research methods.
The methods the DDoS protection cloud service uses to gather data about attack vectors is also important to your selection.
Tip No.4: Deployment options.
Be sure to ask whether the service can be deployed in different ways so that you can select the deployment approach that leaves you feeling confident and comfortable.
Cullen offers eight tips for ranking DDoS protection cloud services based on the quality of critical service capabilities.
Quality No.1: Low latency.
Quality No.2: Security track record.
Quality No.3: Remote ticketing service.
Quality No.4: Strong UI/dashboards for self-management.
Quality No.5: A Forensics Team.
Quality No.6: Logging.
Quality No.7. Licensing.
Quality No.8. Minimal impact to the local environment.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c2476d8c87&e=20056c7556
Swift CEO to Say More Banks May Have Been Breached by Hackers
(Bloomberg) — Hackers may have targeted more banks than have been previously reported, according to prepared remarks by the chief executive officer of Swift, the global interbank messaging system is set to give on Tuesday.
The Society for Worldwide Interbank Financial Telecommunication will increase security requirements for the software clients use and help clients conduct security audits, the network’s chief executive officer, Gottfried Leibbrandt, will tell an audience at the European Financial Services Conference in Brussels, according to prepared remarks of the speech, which is slated to be delivered Tuesday.
The network will introduce certification requirements for vendors that help some banks connect to the network and may help banks use pattern recognition to identify suspicious behavior, he will say.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c4a6322d84&e=20056c7556
Encryption is the foundation of the new data center
A software-based encryption solution will be the foundation of the new data center architecture.
The role and importance of such an encryption layer is only just beginning to be realized.
More and more infrastructure platforms will offer built-in, always-on encryption that works without getting in the user’s way.
Interestingly, as the encrypt/decrypt functions become highly efficient, the more challenging part of encryption is managing the keys.
Infrastructure providers — cloud providers or software vendors such as VMware — will need to offer fully automated key management services to keep track of thousands of keys and have everything work together seamlessly.
The second and less obvious transformational aspect of ubiquitous infrastructure encryption is the role it can play in enforcing micro-segmentation and access control.
In this always-encrypted data center that we imagine, a cryptographic key must be released in order to boot a new server, attach a data volume to a server or allow one server to communicate with another.
If an access control policy were integrated with the key management system, complex access control policies could be implemented quite simply.
The data center of the future will be defined entirely in software.
It will be dynamic and portable, spanning premise-based private clouds and hyperscale public clouds.
It will provide businesses with the agility they need to respond to rapidly changing market conditions, as well as to innovate rapidly.
A software-based encryption solution will be the foundation of this new data center architecture.
The role and importance of such an encryption layer is only just beginning to be realized.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ea14a90a35&e=20056c7556
46% of German companies get external IT security services
Almost 1 in 2 German industrial companies (46%) use external IT service providers for the implementation of security measures, according to a recent Bitkom survey conducted among 504 companies of the manufacturing industries with more than 10 employees.
Almost a quarter (24%) give the entire responsibility for security measures to an external company, while 20 percent share these between their own IT department and an outside service provider.
Almost half (46%) of smaller companies with up to 99 employees, 49 percent of medium-sized and 42 percent of large companies (500+ employees) instruct external partners.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e701b285a9&e=20056c7556
SWIFT Promises Security Overhaul, Fraud Detection
After blaming a recent spate of bank robberies on banks’ poor information security practices, SWIFT has somewhat changed its tune, saying that it wants to help financial firms spot related fraud and better share information about unfolding threats.
Leibbrandt promised that later SWIFT will debut a “five-part customer security program” that features:
International information sharing “in a confidential way that uses the data while protecting the identity of the institution and customers.”
Requiring customers to use strong security tools and practices “to better protect their local environments.”
Better security guidance for customers, including related frameworks for auditing SWIFT-related security.
A promise to try and help banks better analyze “payment pattern controls to identify suspicious behavior.”
Certification requirements for third-party providers.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=65fc0c2187&e=20056c7556
Anonymised database will make UK number one for cyber insurance: ABI
The Association of British Insurers is calling for a national, anonymised database recording details of cyber incidents at businesses to be established in order to help the UK become a world leader in cyber insurance.
The not-for-profit database would contain details of cyber incidents including business interruption losses, ransom demands, loss of confidential data, and damage to IT systems.
Building on the requirement in the European Network Information Security Directive for certain firms to provide notification of cyber incidents from 2018, this data could be anonymised and made accessible to insurers who could then use it to improve pricing and potentially put the UK at the forefront of the global market.
While several states in the USA require firms to report any cyber breaches to the authorities, a national database accessible to insurers would be a world first.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d69d0c3cfc&e=20056c7556
Liability of Cloud-Based Service Provider For Data Breach
The court was careful to review both the limit of liability clause (which provided an overall cap on liability to 12 months fees), and the exclusion clause (which barred recovery for indirect or consequential damages).
The overall limit of liability had an exception: the cap did not apply to a breach of the confidentiality obligation.
However, this exception did not impact the scope of the limit on indirect or consequential damages.
Since the court decided that the claimed breach did not result from a failure of performance, and the consequential damages clause applied to LMT’s alleged loss.
As a result, LMT’s claims were dismissed.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a58c7977d9&e=20056c7556
House Lawmakers Turn Up Heat on FDIC Over Cybersecurity
WASHINGTON—An investigation by House lawmakers turned up “significant shortfalls” in a U.S. bank regulator’s cybersecurity policies, leaving it susceptible to stolen private information and regulatory data, House Republicans said Tuesday.
Following a subcommittee hearing earlier this month on seven cybersecurity breaches at the Federal Deposit Insurance Corp., new information obtained by the House Committee on Science, Space, and Technology indicates the agency may have misrepresented cybersecurity policies, hid information from lawmakers, and has a culture of obstructing whistleblowers.
The committee also asked the agency to notify former employees who may have access to such electronic records to halt any practice to destroy or alter such electronic records.
The committee also requested interviews with nine employees at the agency who had been tapped to procure materials tied to the security breach.
They include Roberta McInerney, deputy general counsel for consumer and legislation, Andy Jiminez, director of legislative affairs, and Roderick Toms, acting chief information security officer, information security and privacy staff.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=07c78df900&e=20056c7556
OWASP set to address API security risks
OWASP has started a new project and is set to publish a new guide on security risks.
The issue they aim to tackle this time is API security.
The new OWASP API Security Project has been introduced at the recently concluded NolaCon, by project leader David Shaw and colleague Leif Dreizler (presentation recorded by Adrian Crenshaw):
The tentative API Security Top Ten Risks lists has been compiled based on aggregate data from Bugcrowd (Dreizler is a Senior Security Engineer at the company), feedback from industry surveys, as well as high-profile breaches in the media, and currently looks like this:
1) Improper Data Sanitization
2) Insufficient Access Control
3) Insecure Direct Object Reference
4) Insufficient Transport Layer Security
5) Sensitive Data Exposure
6) Weak Server-Side Security
7) Improper Key Handling
8) Inconsistent API Functionality
9) Security Misconfiguration
Yes you might have noticed, there is no number 10.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=461047b0cb&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e33861ca72)
Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)