Tuesday, April 14, 2020

What I'm Reading 4/14/2020 - The Economy Is Destroyed Forever, And Cloud Misconfigurations Are Going To Doom Us All

Reuters - Governors of California, Oregon and Washington make deal to reopen economies -
The governors of three U.S. West Coast states, California, Oregon and Washington, said on Monday they had reached an agreement to work together to reopen their economies and lift health restrictions as the coronavirus pandemic eases. 
Foreign Policy - The Normal Economy Is Never Coming Back -
Thursday’s news confirms that the Western economies face a far deeper and more savage economic shock than they have ever previously experienced. Regular business cycles generally start with the more volatile sectors of the economy—real estate and construction, for instance, or heavy engineering that depends on business investment—or sectors that are subject to global competition, such as the motor vehicles industry. In total, those sectors employ less than a quarter of the workforce. The concentrated downturn in those sectors transmits to the rest of the economy as a muffled shock.
The coronavirus lockdown directly affects services—retail, real estate, education, entertainment, restaurants—where 80 percent of Americans work today. Thus the result is immediate and catastrophic. In sectors like retail, which has recently come under fierce pressure from online competition, the temporary lockdown may prove to be terminal. In many cases, the stores that shut down in early March will not reopen. The jobs will be permanently lost. Millions of Americans and their families are facing catastrophe.
 Synopsys - How to Cyber Security: Application security is critical for data security -
Unfortunately, the nature of modern computing makes the goal of data protection difficult, to say the least:
  • Computers and the internet make it drop-dead easy to quickly copy any type of information all over the planet.
  • The internet is not a secure network. Information flows through it on the digital equivalent of postcards, where it can be read at any intermediate point.
  • Software security is not understood well. This means that people implementing software systems sometimes make catastrophic errors, such as storing unencrypted sensitive information in publicly accessible cloud storage without any access control.
  • Software systems are large and complex. Complexity provides many dark nooks and crannies where vulnerabilities can live. Without a disciplined approach to application security, serious mistakes might go unchecked.
 Fifth Domain - Watchdog finds the Pentagon is behind on several cybersecurity initiatives -
 The Department of Defense is behind on several internal cybersecurity initiatives, years after some were expected to be completed, Congress’ watchdog agency has found.
An April 13 report from Government Accountability Office report, titled "DOD Needs to Take Decisive Actions to Improve Cyber Hygiene,” warned that the Pentagon faces increased cybersecurity risk because the department hasn’t implemented basic cybersecurity practices.
“Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack," GAO officials wrote.

Cyber Saint - Tools for expanding NERC CIP across the Enterprise -
Scaling the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance requirements across an enterprise can be a daunting task. With an ever-expanding list of assets in both IT and OT that need to be accounted for, even the most experienced CISO can become overwhelmed with the complexities of centralizing information across multiple business units. Fortunately, there are solutions that enable information security leaders to centralize and scale NERC CIP compliance across the entire enterprise.
Medium - The Most Difficult Security Architecture Question Out There -
Drumroll…. I think it is this one:
What is Security Architecture?
...
You might just think — Esther, can’t we just get on with doing it? Yes, yes, of course that matters a lot. But if we don’t know ourselves what we mean, how are others supposed to? What if I would like to explain to my other colleagues in 1 or 2 sentences what security architecture is? What if a client asks me what security architecture is? Do you have a clear cut answer ready? It is very important to be clear what we mean when we talk about security architecture, otherwise we could get into all kinds of misunderstandings, misconceptions and misgivings. 
 Reuters - Amazon fires two employees critical of warehouse working conditions -
Amazon.com Inc (AMZN.O) said on Tuesday it terminated two employees, who criticized the working conditions at the e-commerce giant’s warehouses in the wake of the coronavirus pandemic, for “repeatedly violating internal policies”.
...
Amazon said it supported “every employee’s right to criticize their employer’s working conditions, but that does not come with blanket immunity against any and all internal policies.” 
CNN - The world hasn't seen a recession this bad since the 1930s. The recovery is far from certain -
In its latest outlook for the world economy, the IMF said it expects GDP will contract by 3% in 2020, a far worse recession than the one that followed the global financial crisis of 2008, and a 180-degree reversal of its previous forecast in January when it was expecting growth of 3.3% this year.
"The Great Lockdown, as one might call it, is projected to shrink global growth dramatically. A partial recovery is projected for 2021 ... but the level of GDP will remain below the pre-virus trend, with considerable uncertainty about the strength of the rebound," the IMF said. "Much worse growth outcomes are possible and maybe even likely," it added.
Dark Reading - You're One Misconfiguration Away from a Cloud-Based Data Breach -
Not all instances of data exposure in the cloud are the product of malicious intentions from either internal or external actors. In its "2019 Data Breach Investigations Report" (DBIR), for instance, Verizon Enterprise showed that errors constituted one of the top causes in the data breaches it examined. Verizon's researchers attributed 21% of those incidents to misconfigurations, which are now one of the most common ways by which digital criminals can gain a foothold into your infrastructure-as-a-service (IaaS) environment.
...
McAfee provided a list of such misconfigurations affecting Amazon Web Services (AWS) in its "Cloud Native: The Infrastructure-as-a-Service (IaaS) Adoption and Risk Report":
● EBS data encryption is not turned on.
● There 's unrestricted outbound access
● Access to resources is not provisioned using IAM roles.
● EC2 security group port is misconfigured.
● Publicly exposed cloud resources.
● EC2 security group inbound access is misconfigured.
● Unencrypted AMI is discovered.
● Unused security groups are discovered.
● VPC Flow logs are disabled.
● Multifactor authentication is not enabled for IAM users.
● S3 bucket encryption is not turned on.
Security Boulevard -  5 Things Every CEO Should Know About Cyber Security -
Even with a competent CISO and IT team in place, the CEO must know at the very least what questions to ask. Here are the basic five things every CEO should know about cybersecurity to protect their business.
  1. Know the scope of your data inventory
  2. Know the data inventory chain
  3. How well is your system protection implemented
  4. Audit your security systems
  5. Assess your risk exposure


No comments: