Today's Tech Digest - Jun 02, 2020
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
Big GDPR Fines in UK and Ireland: What's the Holdup?
"Although the impact of COVID-19 may explain some of the current, continued delay, quite why what may end up being over a year to resolve these matters since the ICO announced its intentions to fine may leave some wondering whether GDPR enforcement is going as quickly as it should," he says. "In addition, what was also expected to be a showcase for the first significant fines under GDPR in the U.K. may now be a letdown." But Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting, says that seeing an extended legal process isn't surprising, especially because GDPR enforcement norms have yet to be set. "The regulator, be that the ICO or any other regulator, has to ensure their case is a legally watertight as it can be before issuing a fine or a penalty. This is very important as organizations, particularly large ones with deep legal resources, will no doubt challenge any penalties imposed on them," he says. "The BA and Marriott cases are a prime example of this," says Honan, who's also a cybersecurity adviser to Europol, the EU's law enforcement intelligence agency. "We also have to take into account many of the regulators have limited resources, and their staff have to ensure they support the rights of all data subjects as best they can."
How to set up a chaos engineering game day
It isn't easy to run a chaos engineering game day. Nonetheless, it should be both fun and instructive. Manifold has hosted several styles of chaos engineering game days. Examples include 30-minute tabletop events as well as multi-hour active failure events that involve the full engineering team. A recent offsite Manifold event involved dice rolls, character classes and prizes for surviving the chaos incident. To maintain a chaos engineering program, employees must enjoy the challenge. "Uncontrolled chaos will happen to your system -- save your seriousness for that," said James Bowes, CTO of Manifold. Role-playing game days are a great way to keep it interesting. With each chaos engineering game day, the organization should build up its resistance to digital failure. "As you proceed, and if you are successful, it should become more difficult to find parts of the system to break," Bowes said. Let the participants know that the goal is to find problems; if they break something, consider that a success. But keep other teams and stakeholders informed.
It’s Time to Rethink Leadership Around Leading for Resilience
If you lead with the assumption that something somewhere and at some time will jump out and attack, you naturally prepare to defend yourself. This preparation doesn’t distract you from moving forward, but it does prove critical when you need to protect yourself. If your entire supply chain is dependent upon the ongoing support of unfriendly or at least unaligned actors and subject to pendulum swings in the political environment, you diversify the supply chain risk. By the same token, minimizing business model risk by diversifying channels is essential. Moving forward, expect every restaurant and food-service operator that is interested in surviving and thriving to develop robust online and takeout systems and internal processes. I’ve lost interest or empathy for the old-line retailers of my childhood now teetering on the brink of the abyss. They’ve had more than two decades to reset for resilience and diversify their business models, develop new channels, embrace technology, and make themselves relevant to consumers. A few have pulled this off and merit kudos. The rest will likely soon join the growing heap of old brands that will be lost to memory in a few short years.
Work in a COVID-19 world: Back to the office won’t mean back to normal
We’re now able to say, “Okay, what might be the new normal beyond this?” We recognize that there will be re-integration back into our worksites done in the current COVID-19 environment. But beyond COVID, post-vaccines, as we think about our business continuity going forward, I do think that we will be moving into, very purposefully, a more hybrid work arrangement. That means new, innovative, in-office opportunities because we still want people to be working face-to-face and have those in-person sort of collisions, as we call them. Those you can’t do at all or they are harder to do on videoconferencing. But there can be a new balance between in-office and remote work -- and fine-tuning our own practices – that will enable us to be as effective as possible in both environments. So, no doubt, we have already started to undertake that as a post-COVID approach. We are asking what it will look like for us, and then how do we then make sure from a philosophical and a strategy perspective that the right practices are put into place to enable it.
Cloud infrastructure operators should quickly patch VMware Cloud Director flaw
The reason the flaw has not been rated critical is likely because attackers technically need authenticated access to VMware Cloud Director to exploit it. However, according to Citadelo's Zatko, that's not hard to achieve in practice since most cloud providers offer trial accounts to potential customers that involve access to the Cloud Director interface. In most cases there is no real identity verification either for such accounts, so attackers can gain easy access without providing their real identities. This highlights a larger issue with assessing risk based only on vulnerability scores: Severity scores don't always reflect or take into account the real-world conditions in which vulnerable systems might typically exist. Certain configuration or deployment choices can make a vulnerability much easier or harder to exploit than the advisory or the CVSS score suggests. Zatko is concerned that VMware Cloud Director users did not take the issue too seriously based on the advisory alone. More than two weeks after the patches had already been out, his company tested another Fortune 500 organization that used the product and it was still vulnerable.
Read more here ...