Tag: Business & Finance

Now Is A Good Time To Upgrade To SSD Drives

If you’ve been considering swapping out some of your old HDDs to SSDs, now is a great time to do so, thanks to the convergence of two factors.

First is the fact that the manufacturers of SSDs have been  making strides in terms of increasing the capacity of the drives they’re offering. They are doing this while simultaneously offering other enhancements that reduce data duplication, making their products faster and more efficient than their HDD counterparts.

Second is the fact that there is currently a dramatic oversupply of memory chips, which has been allowing SSD manufacturers to lower the prices of the products they’re selling.

According to a recently released report from DRAMeXchange:

“The oversupply will continue in NAND Flash market, where suppliers face the pressure to consume production capacity.”

The company is anticipating that the average price of enterprise PCIe SSDs and SATA SSDs could fall by ten percent or more over the course of the next quarter.  Further, the firm notes that the enterprise SSD market has been growing at a blistering pace.  This year, they expect that the sales of SSDs will top 30 million units, up from less than 20 million just last year, and the company expects a similar rate of growth for at least the next three years.

It seems that businesses of all shapes and sizes are enthusiastically lining up behind SSD technology, and with good reason.  Not only are the prices increasingly attractive, but manufacturers are really going the extra mile by offering a raft of new capabilities, in addition to more overall storage capacity.

Obviously, this convergence of factors won’t be long-lived, so if you’ve been planning to upgrade your equipment, now is the time to do so before the winds change direction and prices start to increase again.

Does Your Business Have A Cybersecurity Incident Response Plan?

If your company has an incident response plan that you can rely on in the face of a cyber attack, then you’re ahead of most of the world, according to research recently conducted by the Ponemon Institute.  Shockingly, more than 75 percent of survey respondents from around the world admitted that they have no formal incident response plan.  Even worse, half of the companies that indicated they had an incident response plan said that it was informal.

Curiously, given these statistics, 72 percent of organizations indicated that they were more resilient today than they were the year before. They also indicated a high level of confidence in their staff to respond appropriately to any problem that arose.

Given the stark reality and the ever-increasing number of attacks, that comes off more like bravado than genuine confidence.  Ted Julian, the Vice President of product management of IBM Resilient (sponsor of the Ponemon Institute’s research) had this to say:

“Having the right staff in place is critical, but arming them with the most modern tools to augment their work is equally important.  A response plan that orchestrates human intelligence with machine intelligence is the only way security teams are going to get ahead of the threat and improve overall cyber-resilience.”

This year, most of the provisions of a new piece of legislation, GDPR (General Data Protection Regulations) come into effect, and companies that don’t have a formal incident response plan by then could pay a hefty price.  Even if that weren’t the case, the research concluded that the overall cost of a data breach was nearly a million dollars lower on average when companies were able to deal with the breach decisively and contain it within thirty days.

The bottom line is, if you don’t have one yet, now is the time.

No Spectre Fix For Certain Intel Processors

The bad news just doesn’t seem to stop where Intel and the Speectre vulnerability are concerned.  The latest bit of news comes directly from Intel, as the company admits that it’s just not possible to address the Spectre vulnerability in some of its older hardware. This means that nine families of chips and more than 230 models of computers (mostly manufactured between 2007 and 2011) will remain vulnerable to Spectre forever.

The company has stopped Spectre mitigation development on the following families of chips:

  • Bloomfield
  • Clarksfield
  • Gulftown
  • Harpertown Xeon
  • Jasper Forest
  • Penryn
  • SoFIA 3GR
  • Wolfdale
  • Yorkfield

A company spokesman had this to say about the recent announcement:

“We’ve now completed the release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google.  However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.”

It’s unfortunate, but not entirely unexpected.  If you have any older Intel equipment still in service at your company, have your IT group check the processor family. If it’s one of the above, it’s well worth marking those systems high priorities for upgrades, and limiting their use until you can.

Spectre is a devastating flaw, and it’s just not worth the risk to leave exposed systems connected to your network and in service. This is especially true now that it’s official that no help is coming for certain older systems.

Even worse, AMD chips, which are not impacted by Spectre and Meltdown, have since been found to have their own critical security flaws.  While not as bad or as pervasive as the two Intel is facing, they will nonetheless require the company to issue its own microcode updates, which they are currently scrambling to do.

The long and the short of it is that there really are no safe harbors anymore.

FBI Advises Users To Reboot Their Routers

Cisco’s Talos Security Team has identified a new threat, and it’s a nasty one impacting more than half a million consumer-grade routers in the US.  According to the Talos Team’s report, the new malware is impacting a broad cross-section of routers made by TP-Link, QNAP, Netgear, Mikrotik, and Linksys.

Known as “VPNFilter,” the malware currently infecting routers appears to be the first stage in a multi-phase attack, with the first segment allowing the hackers to collect a wide range of communications data and slave the device to launch attacks on others.  The code also contains a kill command that allows the hackers to destroy the device at will.

As of now, the FBI has already taken swift action and has seized a domain used by the hackers as a means to deliver the later stages of the attack. They report that the primary and secondary means of further infection have been dismantled.  They also report, however, that the hackers still have a fallback method of infection, which relies on sending “poisoned” data packets to each infected device.

Based on an evaluation of the code and the presence of redundant mechanisms for delivering the later stages of the infection, the code has been traced to a Russian hacking group with deep ties to the Russian government.  The group is known by a variety of names, including Fancy Bear, Sofacy, APT 28, and Pawn Storm.

On the heels of seizing the domain, the FBI released a statement that includes:

“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices.  Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled.  Network devices should be upgraded to the latest available versions of firmware.”

Microsoft Purchases GitHub – What Does This Mean For Open Source?

Microsoft just made a big, significant purchase that has raised more than a few eyebrows.  They just acquired GitHub for a hefty $7.5 billion.

What makes the purchase interesting and potentially troublesome is that Microsoft is the world’s largest proprietary software company, and GitHub is the world’s largest open source hosting service.

The natural question on everyone’s mind then, is what does this mean for open source?  Is it doomed?  Is it soon to go the way of the dinosaur, or will Microsoft hold the reins of power loosely and let open source continue to flourish?

Those are fair questions, especially given that GitHub is used by more than 28 million developers around the world, and is home to more than 85 million code repositories.  In addition to that, the company was built on Git, which is an open source version control software written by Linus Torvalds (the creator of Linux). Its founders have worked hard to develop innovative workflows that have made the hub easy to use and work with.

The fear is that Microsoft will start strangling those developments and insist that GitHub begin using proprietary Microsoft products.  While it’s too early to say for certain, the early indications are encouraging.  Microsoft has stated that GitHub will be allowed to retain its status as an “open platform” and its service will continue to be offered for free.

Having said that, there will be some changes, including the fact that Microsoft will be offering integration between its AppCenter mobile testing service and projects hosted on GitHub.  This builds on previous collaborations between Microsoft and GitHub.  Last year, GitHub announced that they would support Microsoft’s “Git Virtual File System,” which the company designed for enterprise-sized data repositories.

The skeptics are right to be skeptical, but so far, the early indications are positive.  Note that it’s not a done deal just yet.  The merger is subject to regulatory approval in both the US and the EU.

Study Shows Employee Satisfaction Is Higher With Technology Improvements

A new study recently published by HPE Aruba called “The Right Technologies Unlock The Potential Of The Digital Workplace,” reveals some interesting details about technology in the workplace that’s worth paying attention to.

The study was conducted by collecting feedback from more than seven thousand companies of various sizes around the globe.  These were broken broadly into two groups: “Digital Revolutionaries,” which made more and better use of cutting edge technology, and “Digital Laggards” which were slower to adopt the latest and greatest technologies.

The headline statistic is that 51 percent of employees working in companies employing more technology reported greater job satisfaction, and an impressive 72 percent of employees in these companies reported a greater ability to adopt new work-related skills.

Other intriguing statistics include:

  • 31 percent of respondents in the “Digital Laggard” category indicated that tech aided their professional development, compared with 65 percent in the “Digital Revolutionary” category
  • 92 percent of respondents said that more technology would improve the workplace overall
  • 69 percent of respondents indicated a desire to see fully automated equipment in more widespread use in the workplace

Joseph White, the Director of Workplace Strategy, Design and Management at Herman Miller said in a press release:

“No matter the industry, we’re seeing a move toward human-centric places as enterprises strive to meet rapidly changing expectations of how people want to work.  This depends upon combining advances in technology -which includes furnishings- with the cognitive sciences to help people engage with work in new ways.  This will not only mean singular, premium experiences for individuals, but also the opportunity for organizations to attract and retain the best talent.”

The study notes, however, that cyber security issues remain as challenging as ever.  Survey respondents reported lower than average cyber security awareness, which could lead to greater risks and exposure as workplaces become increasingly digitized.

While a small majority (52 percent) of respondents reported thinking about cybersecurity often (daily), fully a quarter have connected to unsecured WiFi and one in five reported using the same passwords across multiple web properties. These are the two most dangerous cybersecurity-related behaviors.

Clearly, increased technology has its risks.

Researchers Find Major Vulnerabilities In Banking Apps

Do you do your banking online?  If so, there’s bad news in the form of a report recently released by the security firm “Positive Technologies.”

The company tested a variety of websites using a proprietary tool they developed in-house, which scans websites for security flaws.  While flaws were found across a wide range of industries, literally every banking site Positive Technologies tested was found to have serious security flaws.

The particulars varied from one bank to the next, but the security flaws included:

  • XML external entity errors
  • Arbitrary file reading and modification flaws
  • Expired or nonexistent SSL certificates
  • Poor or nonexistent encryption

Some banking websites were so flawed that a hacker could execute a ‘man in the middle’ attack and execute malicious code to infect the user’s machine. They could potentially make off with all their money and with more than enough information to steal their identity.

Some 80 percent of sites tested were found to be vulnerable to XSS (cross-site scripting) attacks.

Regardless of the specific vulnerability, the big, terrifying takeaway from the Positive Technologies report is simply this:  Of the financial sites they tested, 100 percent of them were found to have vulnerabilities.

These are the people who are tasked with safeguarding your money, and they’re obviously not doing enough to keep their websites secure.

Firewalls and basic detection protocols are simply not enough.  The hackers of the world have matured and gotten better at what they do, and security professionals simply haven’t been improving as quickly.  This is the reason we’re seeing such a massive spike in high profile data breaches.  The reason is that each year is a new, record-breaking year, beating out the one before, often by a wide margin.

Until that changes, everyone is at risk.  Given how important the internet has become to international commerce and modern life, that’s simply unacceptable.

Attackers Targeting Job Seekers Via Listings And Recruitment

Cyber-criminals around the world are increasingly focusing their attention on job seekers.  According to the security firm Flashpoint, there has been a notable uptick in ploys involving phony job listings that attempt to get job seekers to give up personal information.

Perhaps the biggest surprise is the fact that this is only now becoming a growing threat.  After all, from the cyber-criminal’s point of view, it’s low hanging fruit.  Job seekers expect that they’ll be asked for all types of personal information when applying for positions, after all.

As long as the criminals take the time to make their offers appear legitimate, most applicants wouldn’t think twice about sending in their resume (complete with physical address and phone number), and then, a bit later in the process, their social security number and other personal and confidential information.

According to Flashpoint analyst David Shear, it’s not just personal information the criminals are after, however.  Increasingly, criminals are seeking to engage the services of the people who “apply,” by using them as unwitting money mules, or using them as part of an intricate money laundering scheme.

On top of that, it’s all too easy for the criminal to respond to an applicant’s inquiry with an email containing an attachment (usually a poisoned PDF).  Again, since the applicant thinks he (or she) has replied to a legitimate offer for employment, odds are excellent that they’ll open the attachment without hesitation.

At that point, whatever payload the poisoned file contained is installed onto their computer, which can have devastating consequences, depending on the nature of the malware the criminals want to install.

Shear also notes that he and his team have seen an increase in the number of inquiries on the Dark Web asking after compromised business accounts, and offers this explanation as to why: “Attackers want access to business accounts in order to leverage their phony job listings and recruit people who would ultimately participate in fraud without their knowledge.”

All that to say, job seekers beware.  It seems that no low is too low where these criminals are concerned.

Bank Employee Steals Info On Over A Million Customers

Atlanta-based SunTrust Bank is the 12th largest bank in the US. They have a major problem, and so do roughly a million and a half of its customers.  According to CEO William Rogers, an unidentified employee of the firm printed a vast amount of private customer information, including their names, addresses, phone numbers and account balance information.

Rogers stressed that social security numbers, account numbers, driver’s license numbers, user IDs, and passwords were not exposed.  In a recent press release, he had the following to say:

“In conjunction with law enforcement, we discovered that a former employee while employed at SunTrust may have attempted to print information on approximately 1.5 million clients and share this information with a criminal third party.

We and third parties have done forensic analysis on these accounts and we have not identified significant fraudulent activity regarding the effect of the accounts.”

Even so, this is a blow to the company’s image, and the lost trust won’t be easily regained.  It also underscores how vulnerable companies are to internal threats.

In response to the attack, SunTrust is offering ongoing IDnotify identity protection (offered through Experian) to all its current and new clients at no cost.

The company’s handling of the issue so far has been about as good as can be expected.  The unfortunate reality is that there aren’t many good ways of stopping a rogue employee from making off with sensitive customer data or proprietary company information.  Better auditing protocols and controls can help, but only to a certain extent.  While those kinds of policies make it easier to detect when an internal theft has occurred, they do nothing to actually prevent them.

This puts management in a tricky spot.  Employees have to be trusted with sensitive data in order to do their work, which also increases risk.  There aren’t many good solutions here beyond better vetting of employees, but of course, that is by no means a magic bullet either.