September 21, 2022
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
Prasad Ramakrishnan, CIO at Freshworks, points out that low- and no-code tools enable businesses to do more with less, and the easy-to-use, configuration-based user experience of these tools means anyone can use them. He adds tech stacks have become bloated and complex, with features end users typically don't care about. “In an attempt to check every box, technology went from being purpose-built, to tailored to no one,” he says. “The pandemic has made this trend more pronounced.” Ramakrishnan conducts an “app rationalization” exercise regularly with his team, evaluating software applications in terms of integrations needed, their security, whether they are being used (to retire if needed) and how much they are being used (to reduce licenses if needed). “Constantly audit your tech stack,” he advises. “We also involve the end user to make sure everyone is part of the process, akin to a democratized process.” From his perspective, leaders need to create space for end-user feedback -- without it, companies could be taking away valuable tools that employees use and leave them with bloated applications they never use.
There have been numerous tweets and posts about governance, the blame game, and other topics. Governance, in my opinion, begins with the founders and senior management. The investors/board have no way of knowing about fraud or any of the aforementioned issues because they are not involved in the day-to-day operations. However, once discovered, the board of directors and investors are responsible for resolution. Consider the case of a company in the news: many prominent Sillicon Valley and New York-based investors participated despite the fact that one of the cofounders was convicted of identity theft. If they believe in second chances, why not make this cofounder a full-fledged director of the company? There is also the role of regulatory bodies such as the RBI, given that some of these startups (particularly fintech) are governed by them because they have a stake in a bank. Laws and regulations that encourage collaboration to ensure there is no “conflict” or, for example, our regulations make it impossible for investors to liquidate and take their money back.
Per the Single Responsibility Principle, every class should not have more than one responsibility, (i.e., it should have one and only one purpose). If you have multiple responsibilities, the functionality of the class should be split into multiple classes, with each of them handling a specific responsibility. ... When classes are open for extension but closed for modification, developers can extend the functionality of a class without having to modify the existing code in that class. In other words, programmers should make sure their code can handle new requirements without compromising on the existing functionality. Bertrand Meyer is credited with introducing this principle in his book entitled “Object-Oriented Software Construction.” According to Meyer, “a software entity should be open for extension but closed for modification.” The idea behind this principle is that it allows developers to extend software functionality while preserving the existing functionality. In practical terms, this means that new functionality should be added by extending the code of an existing class rather than by modifying the code of that class.
领英推荐
“It’s disheartening, and Uber is definitely not the only company that this approach would work against,” says offensive security engineer Cedric Owens of the phishing and social engineering tactics the hacker claimed to use to breach the company. “The techniques mentioned in this hack so far are pretty similar to what a lot of red teamers, myself included, have used in the past. So, unfortunately, these types of breaches no longer surprise me.” The attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login. Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take advantage of authentication systems in which account owners simply have to approve a login through a push notification on their device rather than through other means, such as providing a randomly generated code.?
“NIST outlines several simple steps to strengthen passwords against modern password-based attacks. Organizations that ignore NIST’s recommendations are leaving an essential authentication security layer vulnerable,” notes Josh Horwitz, chief operating officer at Enzoic. ... As hacking threats increase and many IT teams are understaffed, upgrading your password policy may seem like a nice-to-have. However, password hardening is easy to do, leverages the existing investment in passwords and, unlike most security policies, actually makes things easier for users and administrators. The right solution reduces user frustration around frequent required resets and complex rules. Technology can also lower administrative burden and spend by using automation to reduce password reset calls and boost cybersecurity. Adopting modern technology such as Enzoic for Active Directory can help you avoid security breaches, prevent ransomware attacks and avoid account takeovers. “Organizations need a way to identify when passwords become compromised,” says Horwitz, adding, “Otherwise, their users and administrators can’t follow or enforce the NIST requirement to not reuse compromised passwords.”
Many business leaders and human resources professionals believe that cybersecurity is the responsibility of their information technology staff and managed services provider. However, ensuring that employees and their families have appropriate cybersecurity protection is an employee benefit that benefits employers as well. Mistakes, lack of awareness and general vulnerability of employees remains the most significant cyber security risk for most employers. Simply training employees about cyber threats typically fails to reduce that risk sufficiently. To have a truly cyber-mature workforce, employers need to engage employees in cybersecurity. Teaching employees about the threats to themselves and their families, and making personal protection services available to them, is a much better method to engage employees in cybersecurity. Cybersecurity training is not most people’s idea of a good time. However, employees sit up and take notice when trainers talk to them about the prevalence and severity of the cyber threats to themselves personally, including their identities, credit files, financial accounts, personal devices and home networks.