[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]<\/p>\n
* Cisco Systems : Software products or application platforms, do I have to choose?
\n* Russia\u2019s Swift Alternative Looks Tempting After Hackers Steal Millions
\n* Experian : Data Breach Resolution and Ponemon Institute study reveals organizations are not doing enough to prevent employee-caused security incidents
\n* What is the right DDoS protection cloud service for your organization?
\n* Swift CEO to Say More Banks May Have Been Breached by Hackers
\n* Encryption is the foundation of the new data center
\n* 46% of German companies get external IT security services
\n* SWIFT Promises Security Overhaul, Fraud Detection
\n* Anonymised database will make UK number one for cyber insurance: ABI
\n* Liability of Cloud-Based Service Provider For Data Breach
\n* House Lawmakers Turn Up Heat on FDIC Over Cybersecurity
\n* OWASP set to address API security risks<\/p>\n
Cisco Systems : Software products or application platforms, do I have to choose?
\nThis is the final post in a series that has been focused on providing different ways to think about the job of a modern day software technology architect.
\nThe series began with the idea of defining an architecture that blends physical and digital worlds, taking more of an omni-channel approach.
\nThe next post expanded on this idea by discussing the era of the Platform Economy and the platform ecosystem.
\nIt is here that the idea of three architectural patterns (orchestration, interaction and acquisition) was introduced.
\nSome resources were provided that highlight some starting points into understanding more about platform architecture thinking.
\nOne of the more interesting elements presented was a comment by Marshall Van Alstyne (research professor MIT) during a MIT panel discussion, ‘products have features and platforms have communities.’ A second provocative comment in this panel discussion worth exploring is the perspective that, platforms beat products every time.
\nFor me this led to a question, ‘is that true and if not, how do I choose and do I have to choose?’ In general, I do believe platforms beat products, and that platforms will begin to have a larger footprint in most company’s architecture landscape\u2026in the right context, for the right purpose to achieve flexible, yet targeted outcomes.
\nit is very easy to get over zealous and think that this lays the ground work for an ‘either\/or’ debate, similar to a make versus buy discussion.
\nAn either\/or approach to software is dangerous and incorrect thinking.
\nMost business environments require both, at least for the foreseeable future.
\nThus, the key is to know why to choose which technology based on the desired outcomes and culture of the organization.
\nPotentially the most important selection criteria is to understand the mix of skills that exist and can be acquired at a cost the organization is willing to invest.
\nThe benefit of traditional application software programs is that there is a broad availability of skills, training programs and experience to mitigate the risk of selecting the right technology.
\nThe benefit of application platforms is the ability to adapt more readily to technology changes and avoid locking into a single vendor for extended periods of time that become painful to change.
\nIn the end, the real decision is what culture does the organization have and what investment is the organization willing to make for the desired end state?
\nDetermine if you are solving a distinct business problem versus solving a broader enterprise problem.
\nMany enterprises are focused on scale that has been tested, which is different than being able to scale.
\nWhile skills may be the most important decision criteria, time will most likely determine the final decision.
\nTo really begin appreciating the power of software platforms versus products, I recommend spending time gaining hands on experience with multiple platforms such as those mentioned earlier.
\nAfter that experience, see you agree or disagree with my position of the power and eventuality on platforms taking a greater percentage of enterprise mindshare and architecture footprint.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d65f343685&e=20056c7556<\/p>\n
Russia\u2019s Swift Alternative Looks Tempting After Hackers Steal Millions
\nThe Society for Worldwide Interbank Financial Telecommunication (Swift) has been engulfed by a wave of cyber attacks where criminals have been able to steal tens of millions of dollars from banks in Bangladesh, Ecuador and Vietnam.
\nSwift, a global member-owned cooperative, based in Belgium, also stated that its services, network, and software were not compromised.
\nIt stated that steps were being taken, along with specific measures to reduce cyber attacks.
\nThe network service explained that from now on it would notify customers immediately of any known cases of malware, and that it would share best practices to improve security.
\nThe incidents have highlighted the fact that the banking network may not be as secure as it was once thought to be.
\nRussia proposed an alternative to Swift last year as part of an effort among BRIC nations to create a transfer service that provides better security and is free of disruption.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=81cdfa16d4&e=20056c7556<\/p>\n
Experian : Data Breach Resolution and Ponemon Institute study reveals organizations are not doing enough to prevent employee-caused security incidents
\nCOSTA MESA, Calif., May 23, 2016 \/PRNewswire\/ — Experian Data Breach Resolution and Ponemon Institute today released an industry study revealing that while employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior.
\nThe study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences of poor security conduct and the effectiveness of training.
\nThe study found that more than half (55 percent) of companies surveyed have already experienced a security incident due to a malicious or negligent employee.
\nHowever, despite investment in employee training and other efforts to reduce careless behavior in the handling of sensitive and confidential information, the majority of companies do not believe that their employees are knowledgeable about the company’s security risks.
\nAlarmingly, concern around the issue of employee security risks is not necessarily making companies any more effective at addressing it.
\nSixty percent of companies surveyed believe that their employees are not knowledgeable or have no knowledge of the company’s security risks.
\nAdditionally, the study showed a lack of concern by C-suite executives.
\nOnly 35 percent of respondents say senior management believes it is a priority that employees are knowledgeable about how data security risks affect their organization.
\nThis illustrates a clear gap between companies’ awareness of the issues caused by employee negligence and their actions.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6930c74b2a&e=20056c7556<\/p>\n
What is the right DDoS protection cloud service for your organization?
\nA list of top DDoS protection cloud services given in random order can include F5 Silverline, Arbor Networks\u2019 Arbor Cloud, CloudFlare\u2019s advanced DDoS protection, VeriSign DDoS Protection Service, Imperva Incapsula, Akamai Kona Site Defender, Cisco Guard, and Level3 DDoS Mitigation.
\nThere are many more such services; this list includes the best, depending on who you talk to.
\nHere are four tips to know when preparing to select a DDoS protection cloud service.
\nTip No.1: Know Your Risk Profile.
\nDetermining what DDoS protection cloud service is best for your business starts with knowing the risk profile of your organization, since you will have to marry a suitable service to that profile.
\nISACA offers information about what to include in a risk profile.
\nTip No.2: Know the protections\/coverage you need.
\nOnce you have established what the weight of these pain points would be on your organization in and after an active attack, you need to establish what kinds of protections are necessary.
\nTip No.3: Know providers\u2019 research methods.
\nThe methods the DDoS protection cloud service uses to gather data about attack vectors is also important to your selection.
\nTip No.4: Deployment options.
\nBe sure to ask whether the service can be deployed in different ways so that you can select the deployment approach that leaves you feeling confident and comfortable.
\nCullen offers eight tips for ranking DDoS protection cloud services based on the quality of critical service capabilities.
\nQuality No.1: Low latency.
\nQuality No.2: Security track record.
\nQuality No.3: Remote ticketing service.
\nQuality No.4: Strong UI\/dashboards for self-management.
\nQuality No.5: A Forensics Team.
\nQuality No.6: Logging.
\nQuality No.7. Licensing.
\nQuality No.8. Minimal impact to the local environment.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c2476d8c87&e=20056c7556<\/p>\n
Swift CEO to Say More Banks May Have Been Breached by Hackers
\n(Bloomberg) — Hackers may have targeted more banks than have been previously reported, according to prepared remarks by the chief executive officer of Swift, the global interbank messaging system is set to give on Tuesday.
\nThe Society for Worldwide Interbank Financial Telecommunication will increase security requirements for the software clients use and help clients conduct security audits, the network\u2019s chief executive officer, Gottfried Leibbrandt, will tell an audience at the European Financial Services Conference in Brussels, according to prepared remarks of the speech, which is slated to be delivered Tuesday.
\nThe network will introduce certification requirements for vendors that help some banks connect to the network and may help banks use pattern recognition to identify suspicious behavior, he will say.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c4a6322d84&e=20056c7556<\/p>\n
Encryption is the foundation of the new data center
\nA software-based encryption solution will be the foundation of the new data center architecture.
\nThe role and importance of such an encryption layer is only just beginning to be realized.<\/p>\n
More and more infrastructure platforms will offer built-in, always-on encryption that works without getting in the user\u2019s way.
\nInterestingly, as the encrypt\/decrypt functions become highly efficient, the more challenging part of encryption is managing the keys.
\nInfrastructure providers — cloud providers or software vendors such as VMware — will need to offer fully automated key management services to keep track of thousands of keys and have everything work together seamlessly.
\nThe second and less obvious transformational aspect of ubiquitous infrastructure encryption is the role it can play in enforcing micro-segmentation and access control.
\nIn this always-encrypted data center that we imagine, a cryptographic key must be released in order to boot a new server, attach a data volume to a server or allow one server to communicate with another.
\nIf an access control policy were integrated with the key management system, complex access control policies could be implemented quite simply.
\nThe data center of the future will be defined entirely in software.
\nIt will be dynamic and portable, spanning premise-based private clouds and hyperscale public clouds.
\nIt will provide businesses with the agility they need to respond to rapidly changing market conditions, as well as to innovate rapidly.
\nA software-based encryption solution will be the foundation of this new data center architecture.
\nThe role and importance of such an encryption layer is only just beginning to be realized.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ea14a90a35&e=20056c7556<\/p>\n
46% of German companies get external IT security services
\nAlmost 1 in 2 German industrial companies (46%) use external IT service providers for the implementation of security measures, according to a recent Bitkom survey conducted among 504 companies of the manufacturing industries with more than 10 employees.
\nAlmost a quarter (24%) give the entire responsibility for security measures to an external company, while 20 percent share these between their own IT department and an outside service provider.
\nAlmost half (46%) of smaller companies with up to 99 employees, 49 percent of medium-sized and 42 percent of large companies (500+ employees) instruct external partners.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e701b285a9&e=20056c7556<\/p>\n
SWIFT Promises Security Overhaul, Fraud Detection
\nAfter blaming a recent spate of bank robberies on banks’ poor information security practices, SWIFT has somewhat changed its tune, saying that it wants to help financial firms spot related fraud and better share information about unfolding threats.
\nLeibbrandt promised that later SWIFT will debut a “five-part customer security program” that features:
\nInternational information sharing “in a confidential way that uses the data while protecting the identity of the institution and customers.”
\nRequiring customers to use strong security tools and practices “to better protect their local environments.”
\nBetter security guidance for customers, including related frameworks for auditing SWIFT-related security.
\nA promise to try and help banks better analyze “payment pattern controls to identify suspicious behavior.”
\nCertification requirements for third-party providers.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=65fc0c2187&e=20056c7556<\/p>\n
Anonymised database will make UK number one for cyber insurance: ABI
\nThe Association of British Insurers is calling for a national, anonymised database recording details of cyber incidents at businesses to be established in order to help the UK become a world leader in cyber insurance.
\nThe not-for-profit database would contain details of cyber incidents including business interruption losses, ransom demands, loss of confidential data, and damage to IT systems.
\nBuilding on the requirement in the European Network Information Security Directive for certain firms to provide notification of cyber incidents from 2018, this data could be anonymised and made accessible to insurers who could then use it to improve pricing and potentially put the UK at the forefront of the global market.
\nWhile several states in the USA require firms to report any cyber breaches to the authorities, a national database accessible to insurers would be a world first.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d69d0c3cfc&e=20056c7556<\/p>\n
Liability of Cloud-Based Service Provider For Data Breach
\nThe court was careful to review both the limit of liability clause (which provided an overall cap on liability to 12 months fees), and the exclusion clause (which barred recovery for indirect or consequential damages).
\nThe overall limit of liability had an exception: the cap did not apply to a breach of the confidentiality obligation.
\nHowever, this exception did not impact the scope of the limit on indirect or consequential damages.
\nSince the court decided that the claimed breach did not result from a failure of performance, and the consequential damages clause applied to LMT\u2019s alleged loss.
\nAs a result, LMT\u2019s claims were dismissed.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a58c7977d9&e=20056c7556<\/p>\n
House Lawmakers Turn Up Heat on FDIC Over Cybersecurity
\nWASHINGTON\u2014An investigation by House lawmakers turned up \u201csignificant shortfalls\u201d in a U.S. bank regulator\u2019s cybersecurity policies, leaving it susceptible to stolen private information and regulatory data, House Republicans said Tuesday.
\nFollowing a subcommittee hearing earlier this month on seven cybersecurity breaches at the Federal Deposit Insurance Corp., new information obtained by the House Committee on Science, Space, and Technology indicates the agency may have misrepresented cybersecurity policies, hid information from lawmakers, and has a culture of obstructing whistleblowers.
\nThe committee also asked the agency to notify former employees who may have access to such electronic records to halt any practice to destroy or alter such electronic records.
\nThe committee also requested interviews with nine employees at the agency who had been tapped to procure materials tied to the security breach.
\nThey include Roberta McInerney, deputy general counsel for consumer and legislation, Andy Jiminez, director of legislative affairs, and Roderick Toms, acting chief information security officer, information security and privacy staff.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=07c78df900&e=20056c7556<\/p>\n
OWASP set to address API security risks
\nOWASP has started a new project and is set to publish a new guide on security risks.
\nThe issue they aim to tackle this time is API security.
\nThe new OWASP API Security Project has been introduced at the recently concluded NolaCon, by project leader David Shaw and colleague Leif Dreizler (presentation recorded by Adrian Crenshaw):
\nThe tentative API Security Top Ten Risks lists has been compiled based on aggregate data from Bugcrowd (Dreizler is a Senior Security Engineer at the company), feedback from industry surveys, as well as high-profile breaches in the media, and currently looks like this:<\/p>\n
1) Improper Data Sanitization
\n2) Insufficient Access Control
\n3) Insecure Direct Object Reference
\n4) Insufficient Transport Layer Security
\n5) Sensitive Data Exposure
\n6) Weak Server-Side Security
\n7) Improper Key Handling
\n8) Inconsistent API Functionality
\n9) Security Misconfiguration<\/p>\n
Yes you might have noticed, there is no number 10.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=461047b0cb&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e33861ca72)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage1.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] * Cisco Systems : Software products or application platforms, do I have to choose? * Russia\u2019s Swift Alternative Looks Tempting After Hackers Steal Millions * Experian : Data Breach Resolution and Ponemon…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1230","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1230"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1230\/revisions"}],"predecessor-version":[{"id":3717,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1230\/revisions\/3717"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}