How IoT, 5G, RPA and AI are opening doors to cybersecurity threats

“You can’t say civilization don’t advance… in every war they kill you in a new way.” – Will Rogers

Software is eating the world. Cloud, RPA and AI are becoming increasingly common and a necessary part of every business that wishes to thrive or survive in the age of digital transformation, whether for lowering operational costs or to remain in the competition. But as we increasingly digitalize our work, we’re opening new doors for cybersecurity threats. Here, we dive into the technological advancements in the past year to learn how we can use those progresses without getting burnt.

IoT

From office devices to home appliances, our “anytime, anywhere” needs require every peripheral to connect to the internet and our smartphones. But simultaneously, the new IT landscape has created a massive attack vector. SonicWall’s Annual Threat Report discovered a 217% increase in IoT attacks, while their Q3 Threat Data Report discovered 25 million attacks in the third quarter alone, a 33% increase that shows the continued relevance of IoT attacks in 2020.

IoT devices collect our private data for seemingly legitimate purposes, but when a hacker gains access to those devices, they offer the perfect means for spying and tracking. The FBI recently warned against one such example of the cybersecurity threat concerning smart TVs, which are equipped with internet streaming and facial recognition capabilities.

As governments increasingly use cyberattacks as part of their aggressive policies, the problem only gets worse. IoT devices were usually exploited for creating botnet armies to launch distributed denial-of-service attacks, but in April 2019, Microsoft announced that Russian state-sponsored hackers used IoT devices to breach corporate networks. The attackers initially broke into a voice over IP phone, an office printer and a video decoder and then used that foothold to scan for other vulnerabilities within their target’s internal networks.

Some of the hacks mentioned above were facilitated because the devices were deployed with default manufacturer passwords, or because the latest security update was not installed. But with the IoT rush, new cybersecurity threats and attack vectors emerge. “When new IoT devices are created, risk reduction is frequently an afterthought. It is not always a top priority for device makers to create security measures since no initial incentive is seen due to a lack of profit,” warned Hagay Katz, vice president of cybersecurity at Allot, a global provider of innovative network intelligence and security solutions. “Most devices suffer from built-in vulnerabilities and are not designed to run any third-party endpoint security software. For many consumers, cybersecurity has been synonymous with antivirus. But those days are long gone,” he said.

To fight against the new cybersecurity threats, Katz recommended turning to a communications service providers (CSP). “Through machine learning techniques and visibility provided by the CSP, all the devices are identified. A default security policy is then applied for each device and the network is segregated to block lateral malware propagation. By simply adding a software agent on the subscriber’s existing consumer premise equipment, CSPs can easily roll out a network or router-based solution that protects all the consumer’s IoT devices.”

We also need to consider whether we really need an IoT version of everything. In the words of Ryan Trost, co-founder and CTO of ThreatQuotient who has over 15 years of security experience focusing on intrusion detection and cyber intelligence: “I can appreciate the benefits of every single student having a tablet (or equivalent) for schooling. However, I struggle to find the legitimacy of why my refrigerator needs an Internet connection, or for that matter, a video conferencing feature.”

5G

While the next generation network takes AI, VR and IoT to new levels, it’s also creating new problems. “5G utilizes millimeter waves, which have a much shorter range than the conventional lower-frequency radio waves. This is where the source of the greatest [cybersecurity] threat in 5G infrastructure originates from,” warned Abdul Rehman, a cybersecurity editor at VPNRanks. “An attacker can steal your data by setting up a fake cell tower near your home and learn a great deal about the device you are using including location, phone model, operating system, etc. These can even be used to listen in on your phone calls.” To mitigate the risk, Rehman suggests relying on strong encryption.

AI

We’ve previously talked about how AI is vulnerable to data poisoning attacks. As the technology advances, new forms of cybersecurity threats emerge. Voice deepfakes are one of such threats, where hackers impersonate C-level executives, politicians or other high-profile individuals. “Employees are tricked into sending money to scammers or revealing sensitive information after getting voice messages and calls that sound like they are from the CFO or other executives,” said Curtis Simpson, CISO at IoT security company Armis. “We’ve already seen one fraudulent bank transfer convert to $243,000 for criminals. Given how hard it is to identify these deepfakes compared to standard phishing attacks, I expect these operations will become the norm in the new year.”

It only takes one wrong click for a hacker to implant malware or open a backdoor. Unfortunately, that could be the undoing of all other security measures put in place to protect the network. “No one is off limits when it comes to cybersecurity threats,” warned PJ Kirner, CTO and founder of Illumio, which develops adaptive micro-segmentation technologies to prevent the spread of breaches. Children could end up installing malware on their parents’ phones. According to Kirner, “our sons and daughters will quickly become a new threat vector to enterprise security.”

Robotic process automation

A Gartner report showed the annual growth of RPA software and projected that revenue will grow to $1.3 billion by 2019. “In 2020, [RPA] will continue its disruptive rise and become even more ingrained in our everyday lives,” predicted Darrell Long, vice president of product management at One Identity, an identity and access management provider. “However, with the rapid adoption of RPA, security has become an afterthought, leaving major vulnerabilities.” RPA technologies hold privileged data and that makes them lucrative targets for cybercriminals. CIOs must pay close attention to the security of the RPA tools they use and the data they expose to ensure their business is not infiltrated by malicious actors.

Storage attacks

Cybercrimes are not only rising — they are also evolving. Attackers have realized that data in storage systems are key to an organization’s operations. “Hackers are now targeting network attached storage (NAS) devices, according to the data revealed in a new Kaspersky report. This new type of attack presents a significant problem to businesses using only NAS devices to store their backups,” said Doug Hazelman, a software industry veteran with over 20 years of experience.

According to Kaspersky, there was little evidence of NAS attacks in 2018, but as hackers realized the benefits, they caught users off guard since NAS devices typically don’t run antivirus or anti-malware products. Hackers exploited this shortcoming to put 19,000 QNAP NAS devices at risk.

Organizations should keep their systems updated with the latest security patches and ensure only necessary devices are reachable from public networks. Per Hazelman’s recommendation, “to prevent cybercriminals from infecting backups with malicious software, CIOs should ensure company backups are being stored on two different media types, one of which being cloud storage, which has several benefits, including increased security.”

Reaching for the clouds

While new technologies promise convenience and increased returns, CIOs must make sure the security risks do not outweigh the gains.

Contrary to the other technologies on this list, ransomware has largely left the cloud untouched. However, as companies continue to transition their servers and data to the cloud for more cost-efficient solutions, criminals will shift their focus. The current attacks have largely been due to cloud misconfigurations or stolen credentials, but since the cloud has become a one-stop shop for all data, it’s becoming the new battleground.

What we need to do about cybersecurity threats

By now, we’ve seen how devastating cyberattacks can be, and that the risks are steadily increasing. Security must be a priority and not an afterthought. While new technologies promise convenience and increased returns, CIOs must make sure the security risks do not outweigh the gains.

Go to Original Article
Author:

For Sale – Nvidia RTX-2080 Ti – Cheapest you can get!

Europe’s busiest forums, with independent news and expert reviews, for TVs, Home Cinema, Hi-Fi, Movies, Gaming, Tech and more.

AVForums.com is owned and operated by M2N Limited,
company number 03997482, registered in England and Wales.

Powered by Xenforo, Hosted by Nimbus Hosting, Original design Critical Media Ltd.
This website uses the TMDb API but is not endorsed or certified by TMDb.

Copyright © 2000-2020 E. & O.E.

Go to Original Article
Author:

Using AI for Good with Microsoft AI

Partner Story

Celebrating priceless architecture in France

The Musée des Plans-Reliefs is bringing architecture to life using AI and mixed reality. Viewers are immersed in an experience that uses technology to recreate a vital piece of French history and culture, based on a relief map of the historic Mont-Saint-Michel.

Learn about relief map project
Go to Original Article
Author: Microsoft News Center

For Sale – Oculus Rift VR headset

Hi

Selling my Oculus Rift as it’s just not getting used that much. I have only used it to play the occasional game of Beat Sabre and Project Cars VR and so the condition is very good, it comes boxed with everything apart from the lens cleaning cloth.

If anybody is looking to get into PC VR then this is still a great starting point.

Pictures below.

Thanks for looking.

Location
St.Helens
Price and currency
£190
Delivery cost included
Delivery Is Included
Prefer goods collected?
I have no preference
Advertised elsewhere?
Not advertised elsewhere
Payment method
PPG

Go to Original Article
Author:

For Sale – Phanteks ITX Case & ThermalTake 730W Semi-Mod PSU – £59 delivered / 2 x Toshiba 1GB 7200 3.5″ SATA Drives – £25 delivered

The CPU is worth more than £70 IMHO. That puts it less than the Ryzen 3 3200G which is about £80 new and the 2400G is a much better processor all-round.

I have seen some go for that on eBay but you take you chances on there and there is no warranty, where as mine is covered until May 2020.

In the interest of striking up a deal I am willing drop to £225 delivered, but delivery will cost me at least £15 insured, so that’s really all the wiggle room I have with it on this occasion.

Jut to confirm, this is the same set of components I have been using for the last 8 months with no problems. (I am currently using it to type this reply on) so there is no issue with compatibility.

Go to Original Article
Author:

For Sale – Samsung 34 Inch 21:9 WQHD (Reduced £200)

This monitor is too big for me, so looking to sell after a downsize. I’ve only used for work so I can’t comment on gaming.

Samsung LS34J550WQUXEN 34 inch LED Monitor
Blue/grey colour
3440 x 1440 VA panel
VESA Compatible

Collection only please. Open to offers.

The only things that have bothered me are the loose power cable (not an issue if left static on desk) and the stand is not height adjustable.

Location
York England
Price and currency
£200
Delivery cost included
Delivery is NOT included
Prefer goods collected?
I prefer the goods to be collected
Advertised elsewhere?
Advertised elsewhere
Payment method
Cash or bank transfer

Last edited:

Go to Original Article
Author:

The new Washington Privacy Act raises the bar for privacy in the United States – Microsoft on the Issues

This month, a bipartisan group of legislators in Washington state presented new legislation that could soon become the most comprehensive privacy law in the country. The centerpiece of this legislation, the Washington Privacy Act as substituted, goes further than the landmark bill California recently enacted and builds on the law Europeans have enjoyed for the past year and a half.

As Microsoft President Brad Smith shared in his blog post about our priorities for the state of Washington’s current legislative session, we believe it is important to enact strong data privacy protections to demonstrate our state’s leadership on what we believe will be one of the defining issues of our generation. People will only trust technology if they know their data is private and under their control, and new laws like these will help provide that assurance. We’re encouraged that privacy legislation in Washington has been welcomed by privacy advocates such as Consumer Reports and the Future of Privacy Forum.

To date, the U.S. has taken the approach of enacting privacy law in just a few key areas, such as financial services, children and some health data. However, on average, people today produce 25 times the online data they did in 2010, and this data no longer just records our medical checkups or banking activities but just about every aspect of our lives. The Washington Privacy Act addresses these significant gaps by creating comprehensive baseline protections. As the United States Congress continues to work on these safeguards, states such as Washington have the opportunity to move faster and give people the protections they deserve.

Washington came close to passing a good bill last year. As I wrote in April 2019, every year we kick the can down the road is another year we’ll spend searching for the perfect legislation rather than starting to provide people with needed protection, and then building on a strong foundation. And people are overwhelmingly voicing their support for the legislature to take action now. In a Crosscut/Elway poll conducted in December 2019, 84% of Washington respondents supported “strengthening consumer protections for personal data online” and placed privacy above issues such as carbon emissions and rent control.

Why the Washington Privacy Act is strong

The Washington Privacy Act, introduced by Senator Reuven Carlyle, has four core components that we believe are critical in any comprehensive privacy bill.

Corporate responsibility: First, it holds companies responsible for ensuring they only use data for the reason they collect it and with the permission of their customers. If a company collects someone’s phone number for the purpose of two-factor authentication, they shouldn’t then be permitted to use that information for targeted ad or search purposes.

Consumer empowerment: Second, it gives people the ability to control their data by providing rights to access, correct, delete and relocate their data, and to limit a company’s ability to use their data.

Transparency: Third, it requires companies to be clear about their intentions for collecting people’s personal data in a way that is easy to understand.

Strong enforcement: Fourth, it enables the state attorney general to ensure companies comply with the law. The state attorney general can take legal action with penalties up to $7,500 per violation, meaning total penalties for a non-compliant company could – depending on the number of people affected – amount to hundreds of millions of dollars. In addition to attorney general enforcement, the Washington Privacy Act requires companies to be responsive to consumer requests for information about what data of theirs companies have and how that data is used.

This year’s bill has significant improvements over last year’s legislation. For example, it now requires companies to tell people why their data is being collected and to use it only for that purpose, ensures companies only collect the minimum data needed for that purpose, and prohibits companies from using data in new ways that are different and distinct from the reasons they collected the information in the first place.

Prevent a “race to the bottom” with facial recognition

In addition to addressing the four privacy principles, the Washington Privacy Act sets standards for how and when companies can use facial recognition technology. This portion of the bill includes a range of steps to protect people from this largely unregulated technology, and we think four are particularly worth discussing.

Fairness: First, suppliers of facial recognition technology must build their technology so that third-party research organizations can test its accuracy and examine it for bias.  When undisclosed problems with the technology are discovered, suppliers must take action.

Consent: Second, the default rule is that people must give permission for companies to add their image to a facial recognition database and this consent must be meaningful, not just a footnote buried in legal jargon.

Notification: Third, in any public place where facial recognition technology is used, companies must post clear notice.

Human Review: Fourth, results of facial recognition must be verified when critical decisions such as mortgage approvals or employment considerations are being made, and humans have to be involved in the decision-making process.

The Washington Legislature will also consider an important proposal to regulate the use of facial recognition by government. A bill proposed by Senator Joe Nguyen contains many of the safeguards the Washington Privacy Act applies to corporate use as well as new rules to be applied to governmental scenarios. For example, the technology can only be used in public places to address serious crimes when a search warrant has been issued or when there’s a genuine emergency such as a terrorist threat or a kidnapped child. Law enforcement must disclose to defendants when facial recognition is being used in a legal case against them.

As Brad Smith has outlined, if we don’t act, we risk waking up five years from now (or even sooner) to find that facial recognition services have spread in ways that exacerbate societal issues. By setting boundaries before, during and after deployment of facial recognition, we hope that these regulations offer the public more opportunity to be involved in the decisions regarding the acceptable use of the technology by commercial actors as well as state and local authorities. Neither the Washington Privacy Act nor the Nguyen bill provide all the answers to the challenges that will arise with this technology, but both bills provide strong baseline standards that will give people meaningful protections for the first time. Passing these bills in this session will allow the legislature to focus future sessions on building and improving upon them.

Open public dialogue

We believe advocating for laws like these are good for our customers and important for holding the industry to higher standards than the law does today. Microsoft has been engaged along with dozens of entities including companies, privacy experts, advocacy groups and legislators invited to comment on early draft proposals leading up to this session. We are committed to working with lawmakers and stakeholders to ensure the final bill provides comprehensive privacy protection for all Washingtonians. You can learn more about our efforts from last week’s testimony.

Tags: , , , , , ,

Go to Original Article
Author: Microsoft News Center

For Sale – Basic Desktop PC Photo’s added

Location
Brandon / Suffolk / UK / IP27
Price and currency
£125
Delivery cost included
Delivery is NOT included
Prefer goods collected?
I have no preference
Advertised elsewhere?
Not advertised elsewhere
Payment method
PPG / BT / Cash

Last edited:

Go to Original Article
Author:

Using Azure AD conditional access for tighter security

As is standard with technologies in the cloud, the features in Azure Active Directory are on the move.

The Azure version of Active Directory differs from its on-premises version in many ways, including its exposure to the internet. There are ways to protect your environment and be safe, but that’s not the case by default. Here are two changes you should make to protect your Azure AD environment.

Block legacy authentication

Modern authentication is Microsoft’s term for a set of rules and requirements on how systems can communicate and authenticate with Azure AD. This requirement is put in place for several security benefits, but it’s also not enforced by default on an Azure AD tenant.

Legacy authentication is used for many types of attacks against Azure AD-based accounts. If you block legacy authentication, then you will block those attacks, but there’s a chance you’ll prevent users trying to perform legitimate tasks.

This is where Azure AD conditional access can help. Instead of a simple off switch for legacy authentication, you can create one or more policies — a set of rules — that dictate what is and isn’t allowed under certain scenarios.

You can start by creating an Azure AD conditional access policy that requires modern authentication or it blocks the sign-in attempt. Microsoft recently added a “report only” option to conditional access policies, which is highly recommended to use and leave on a few days after deployment. This will show you the users still using legacy authentication that you need to remediate before you enforce the policy for real. This helps to ensure you don’t stop users from doing their jobs.

However, this change will severely limit mobile phone email applications. The only ones officially supported with modern authentication are Outlook for iOS and Android, and Apple iOS Mail.

Implement multifactor authentication

This sounds like an obvious one, but there are many ways to do multifactor authentication (MFA). Your Microsoft licensing is one of the factors that dictates your choices. The good news is that options are available to all licensing tiers — including the free one — but the most flexible options come from Azure AD Premium P1 and P2.

With those paid plans, conditional access rules can be a lot nicer than just forcing MFA all the time. For example, you might not require MFA if the user accesses a Microsoft service from an IP address at your office or if the device is Azure AD-joined. You might prefer that both of those scenarios are requirements to avoid MFA while other situations, such as a user seeking access on a PC not owned by the company, will prompt for extra authentication.

MFA doesn’t have to just be SMS-based authentication. Microsoft’s Authenticator App might take a few more steps for someone to set up the first time they register, but it’s much easier to just accept a pop-up on your mobile device as a second factor of authorization, rather than waiting for an SMS, reading the six-digit number, then typing it into your PC.

Without MFA, you’re running a high risk of having an internet-exposed authentication system that attackers can easily try leaked credentials or use spray attacks until they hit a successful login with a username and password.

The other common attack is credential phishing. This can be particularly successful when the threat actor uses a compromised account to send out phishing emails to the person’s contacts or use fake forms to get the contact’s credentials, too. This would be mostly harmless if the victim’s account required MFA.

Accounts in Azure AD will lock out after 10 failed attempts without MFA, but only for a minute, then gradually increase the time after further failure attempts. This is a good way to slow down the attackers, and it’s also smart enough to only block the attacker and keep your user working away. But the attacker can just move onto the next account and come back to the previous account at a later time, eventually hitting a correct password.

Azure AD conditional access changes are coming

The above recommendations can be enabled by four conditional access baseline policies, which should be visible in all Azure AD tenants (still in preview), but it appears these are being removed in the future.

baseline protection policies
Microsoft plans to replace the baseline protection policies with security defaults

The policies will be replaced by a single option called Security Defaults, found under the Manage > Properties section of Azure AD. The baseline policies helped you be a bit more granular about what security you wanted and the enablement of each feature. To keep that flexibility, you’ll need Azure AD Premium once these baseline policies go.

Turning on Security Defaults in your Azure AD tenant will:

  • force administrators to use MFA;
  • force privileged actions, such as using Azure PowerShell, to use MFA;
  • force all users to register for MFA within 14 days; and
  • block legacy authentication for all users.

I suspect the uptake wasn’t enough, which is why Microsoft is moving to a single toggle option to enable these recommendations. I also hazard to guess that Microsoft will make this option on by default for new tenants in the future, but there’s no need for you to wait. If you don’t have these options on, you should be working on enabling them as soon as you can.

Go to Original Article
Author:

Wanted – External graphics enclosure (with TB3)

Europe’s busiest forums, with independent news and expert reviews, for TVs, Home Cinema, Hi-Fi, Movies, Gaming, Tech and more.

AVForums.com is owned and operated by M2N Limited,
company number 03997482, registered in England and Wales.

Powered by Xenforo, Hosted by Nimbus Hosting, Original design Critical Media Ltd.
This website uses the TMDb API but is not endorsed or certified by TMDb.

Copyright © 2000-2020 E. & O.E.

Go to Original Article
Author: