Apple devices are slightly harder to weasel into from outside, but that doesn’t mean that it’s impossible. A virus has to be crafted differently to even function on an Apple computer. For the same reason that Apple needs its own version of browsers and games, it needs its own version of viruses, and with Microsoft being the default for most ‘sensitive’ systems, like pharmacies, school networks, and hospitals, hackers and other malicious individuals just don’t seem to care that much about Mac devices.
But not caring that much is not the same as not caring at all.
Apple’s known virus count is slowly creeping up, although viruses that use weaknesses in the system to get in are quickly made obsolete by updates. Apple viruses are a special kind of pain to deal with because the person who made them surely made them out of spite – as said previously, Mac’s system is not compatible with Microsoft’s, so viruses are custom tailored.
Their recommendation is to completely avoid third party apps – for good reason. The primary way that malware ends up in the computer’s system is via scam downloads. Those can look like a couple different things. Everybody (or almost everybody) knows not to click those flashing banners at the top of blog sites that advertise “FREE iPAD! CLICK NOW!” because it used to be the most common way to steal information from non-tech-savvy people.
“Free Flash Player!” “Free Game! Connect With Friends! Download Now!” are it’s equally outdated cousins. Anything that tells a Mac user that they need to download it has the potential to be a virus, and if the user is unlucky enough to get a virus prepared for a Mac, they’re in for a headache. But it’s tough to trick people with those flashing banners anymore, right? So…
The next easiest way is to fake an email from an app publisher, or even from Apple itself! This still won’t get a lot of people, but the people who fell for the flashing banners the first go-round might fall for an email that looks juuuuust official enough to make them doubt themselves.
One version of this scam involves sending an email with a downloadable attachment to ‘fix’ a ‘virus’ that ‘Apple’ has detected on the device. That’s not Apple, and there’s no virus until the recipient downloads the attachment. That was the goal! And now the virus is on the computer. Oh no!
Alternatively, if you’ve downloaded some game or another that you trusted, even though it was third party, and then received an email about a big patch that needs to be downloaded, you might fall for it! Depending on the game, they could have your email to send patches to, right? Official platforms like Steam certainly have their user’s email.
And that’s not even the game download itself! Downloading a game off of third party websites can lead to some nasty results, which is why Apple goes out of it’s way to warn you every step of the download, and also warn you off of third party downloads in every help forum. The risk that what you downloaded could be malware is just not worth the inconvenience of waiting for that game to come out on an Apple-licensed platform.
Long story short: it’s very possible, albeit difficult, to get viruses on a Mac computer. Don’t download attachments from strangers!
In 2005, an organization had been covertly installing a program similar to a rootkit onto consumer devices without warning. For those who haven’t heard it before, a rootkit is simply a program that is designed to remain unfindable on a device. They aren’t all bad, but their difficult-to-detect nature and ability to evade even aggressive anti-virus makes them a top-of-the-line tool for hackers.
The rootkit was on the lookout for ‘suspicious activity’, and if it detected any, it would quietly alert the parent company. However, even if you had nothing to hide, you still had something to fear: the rootkit left a gaping security hole, and a smart enough hacker could piggyback off of it to get Trojan Horses, Worms, and other nasty bugs in without alerting the computer that “hey, there’s an .exe file doing weird stuff!”
The rootkit was designed to hide itself, and it would hide the bugs behind it. There was no mention of this anywhere in the EULA agreement for the program that had the rootkit. The parent company hadn’t meant to leave a backdoor, but they did, and attempts to fix it without removing their own program just made the problem worse. Attempting to fake fixing it with an uninstaller only hid the program deeper in the system, and trying to uninstall it could brick the computer, depending on which program you got. They’d really screwed themselves, and they hadn’t expected to get caught.
This wasn’t some Russian hacking scheme, or some government overreach – it was Sony, attempting to keep copyrighted material off of pirating websites. Talk about an overreaction.
The History
At some point, a company has to admit it would rather ruin the legitimate user’s experience than let a pirate go unpunished. That’s very understandable: stealing is wrong, and smug pirates behaving like they’ve gotten one over on ‘the system’ are frustrating. Ordinary responses to this can be anything from asking for the license # on the inside of the clear case to more subtly ruining the audio quality of pirated copies. This is a normal level of copyright protection. Very determined pirates could still get around these measures, but hey, you can’t spend all your resources on the fringe cases.
Companies are aware of this, and some begin to factor ‘unstoppable piracy’ into their calculations – you know, like grocery stores will factor in ‘lifting loss’. Companies usually determine they’d be spending more on preventative measures than they’d be keeping on the shelves. Theft is wrong, but so is littering and driving without a license. Somehow, all three still happen anyway no matter how huge the fine gets. Sony is very mad that pirates are getting away with fresh content, and they want to do the equivalent of TSA pat-downs on everybody at the exit of the grocery store to stop a small percentage of thieves. They don’t care anymore; nobody is going to get away with it.
Was it Reasonable?
Napster and LimeWire are making inroads into the music industry’s profit, and 2005 was the peak. The pirating of copyrighted content is only made easier with the rise of the internet, and Sony realizes it’s nigh impossible to find the illegitimate downloaders, and uploaders were only marginally easier. They decide to go for the source, but they decide to hit hard.
“The industry will take whatever steps it needs to protect itself and protect its revenue streams… It will not lose that revenue stream, no matter what… Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source – we will block it at your cable company. We will block it at your phone company. We will block it at your ISP. We will firewall it at your PC… These strategies are being aggressively pursued because there is simply too much at stake.” – Sony Senior VP Steve Heckler
This quote was said in 2005, after Sony had merged with another company, BMG. BMG had an incident in Europe in the 2000’s, when they’d released a CD without warning users of the copyright protection on the inside. Apparently, burning money to replace those CDs (and burning goodwill) was not enough of a lesson, and Sony and BMG together prepared to take a stand against pirates.
The Problem
They’re going after the big boys, the folks downloading music to upload everywhere else…for free.
These are the people depressing profits, in theory. Some companies theorize that once these people are gone, the people passively pirating by downloading stuff from them will also disappear and go back to buying the content. They’re somewhat right, and this audience shrinks over time. More on that later.
This is illegal and very annoying! The estimated lost sales from piracy were in the billions, and many companies were beginning to look at more intense DRM: Digital Restriction Management.
To some people, DRM is the root of all evil, the seed of the eventual downfall of consumer’s rights. After Sony’s screw-up, they were right to call it as such. John Deere, Apple, Sony, Photoshop, etc. are all slowly eating away at their own best features for the sake of pushing users into proprietary software. Software they’re not allowed to repair because of DRM. Take Deere: if a new Deere tractor detects a common tractor repairman’s diagnostic software, a Deere tractor will stop working until you call out a Deere technician. This obviously drives up demand for Deere technicians, and it’s horribly restrictive to the user. Adobe recently announced it was going to make using Pantone’s color book a subscription after offering it for free initially, and to really hammer home how annoying they were going to be about it, they’d black out any design aspect using those Pantone colors, ruining it. Consumers who want to keep their colors in Pantone’s library are now going to have to pay twice for the same service.
To others, DRM is an essential part of the free market. Companies should be allowed to protect what they made, and if users find their methods extreme, they shouldn’t have bought it. And in less extreme circumstances, they’re right! That’s what the EULA, the End User License Agreement, is for. The user can decide if they’re willing to put up with the DRM specified in the Agreement, and if they’re not, they don’t have to buy it. ‘If you pirate this, it will only play static’ is reasonable.
Sure, some super-cheapskate who found a sketchy download off some sketchy site is going to listen to static with Hint of Music, but the average user would rather buy the disc and be done with it. If the company can make the ripped upload sound like garbage when it’s off its home CD, they won. The company has successfully used DRM here to keep their honest customer honest. And they did it without destroying either computer!
Doing it this way means normal consumers still get a high-quality product, and if the DRM is limited entirely to the content itself, there’s no risk of it coming back to bite the company in the butt.
Still, if you really disagree with DRM, there were companies that successfully reduced their piracy problems in other ways. Some found that guilt was enough, others found that once certain websites were gone, their piracy problems disappeared too. Warning folks that piracy was still a crime got the people who didn’t know any better to stop. Fines did a number on the folks who were too bold or too dumb to not get tracked with non-DRM means, and for the people who were doing it because it was more convenient? They reduced their pirating when better paid methods became available. Sony’s problem could have been solved in a lot of ways!
Besides, Sony wasn’t struggling. Lost sales are not the same as losses! Companies are still making profit, just not as much as they’d like. Property is not being damaged, and nobody is experiencing physical harm as a result of pirating.
The Response
Sony’s DRM was a severe overreaction to the problem at hand, and it did lead to several lawsuits. As said at the beginning, Sony had not only installed software without the user’s knowledge, but they’d then left a big entry point for security threats to get in undetected. Hundreds of thousands of networks were affected, and some of them were government. Once someone blew the lid on the DRMs, they released a cover-up “uninstaller” that just hid the rootkit better and installed more DRM content on the user device.
This does not help!
The blown cover for the rootkit meant that black-hat hacking organizations could tool around and create something that could get into anything with that rootkit on it, undetected. Eventually Sony was forced to admit this was wrong, but not before screwing over a couple million people who just wanted to listen to Santana or Celine Dion. Over pirates.
Yeah, there’s some lost profit – but it doesn’t outweigh the regular customers.
As Stewart Baker of the Department of Homeland Security said, “it’s your intellectual property – it’s not your computer”.
The Aftermath
Sony’s first instinct is to hide it. As mentioned in the article above, the uninstaller available didn’t actually uninstall it, and some users reported issues of system crashes and their machine bricking up when the uninstaller’s poor programming tried to interact with the rest of the device’s programming.
Their second decision is to lie – ‘the DRM has no backdoors and doesn’t pose a risk to your computer’s security’. This is demonstrably untrue, and given that they were already in the beginning stages of recall, could be considered a deliberate lie.
Sony’s third action is to recall the discs with the DRM on it, but they don’t get all of the discs. Some users aren’t sure if their disc is affected or not, and even non-profit organizations dedicated to maintaining free internet can’t figure out what discs have it and what discs don’t. The best they can do is a partial list. Stores in New York and Boston are still selling the discs three weeks after the recall. However, users do get to swap their disc with an unprotected one through the mail. Sony seems to have acknowledged their screw-up at this point.
Sony’s fourth action is more a consequence – they stick a class-action lawsuit sign-up notice on their home website, and users affected can claim damages up until 2006. Class-action lawsuits filed by individual states start to drag down Sony’s profits more than the piracy ever did, and the end result is a mandate to put warnings on the cover of discs and to stop using DRM that could damage a user’s computer. DRM is still allowed, it just can’t be possible to destroy a computer to protect a song license. The feds actually considered this a breach of federal law and stated that it was engaging in deceptive and unfair business practices. Sounds about right – consumers wouldn’t have bought a disc that downloaded DRM without their knowledge. From conception to execution, this was a moral, ethical, and legal mistake. Way to go.
If you’ve been online in the past few years, you’ve likely seen this warning already from VPN ads and security experts: don’t connect straight to public WiFi if you can help it, and if you do, don’t do your online banking on it. If the hacker gains special access to the WiFi network without the actual owners knowing, they can see the data that travels to and from the systems attached to it.
2) Juice Jacking
There was a period of time between the phone security we see today and teeny-tiny tech found in things like micro-cameras where hackers could connect chips to public USB plug-ins and steal data. This happened either directly through the port or by downloading malware designed to send that info after a certain amount of time. Things like pictures, app passwords, saved files and audio recordings , anything you wouldn’t want to share over USB. Luckily, a security conference revealed a lot of these issues before they became an epidemic, and between Android updating with a white-list system and Apple updating with security patches, juice jacking is less and less common. If you’re still worried, there are a number of ways that don’t rely on programming, like using the cable/adaptor that came with your device or using a cable with no data cord.
3) Illegitimately Named HotSpots
In this case, the hacker renames a WiFi source (which could be a phone hotspot or something similar) to something that you’re looking for. Maybe it’s the free WiFi for the hotel, and you don’t notice that there’s two of them before you go through the effort of logging in with your room’s key and the password they gave you – which the hacker doesn’t need, but it gives an air of legitimacy to the fake network. Now the hacker can see your online traffic, whether it be to apps on your phone or to websites on your laptop. Private information is no longer private.
This is different than the previously mentioned public WiFi: in this method, the hacker owns the fake network, where on public WiFi, they don’t. The legitimate admin on a WiFi channel that the hacker doesn’t own might eventually notice and kick them from it, but the WiFi source the hacker owns would need to be shut down to keep people off of it since the hacker is the source.
Renaming networks to get phones to auto-connect can also be a problem, but if it’s not done right unseen data alerts the phone that HomeNetwork1 isn’t really the network it is supposed to auto-connect to. This means that this hack is more complicated than the method listed above; most people would probably pause for a second if their phone was asking for permission to connect to their home network from miles away, without a password. Social engineering a connection to a network the device is unfamiliar with anyway is an easier, more efficient way to steal data.
Be sure to turn off WiFi seeking features until you’re ready to connect to a specific network of your choosing, which removes this possibility altogether.
4) Over the Shoulder
The simplest method of gaining illegitimate access to your accounts is via Social Engineering. Now, it’s not easy – if you’ve ever tried before out of curiosity, you’ll know that most people type too fast for your eyes to actually follow, and that’s not including hitting the shift key and adding in numbers or punctuation, etc. so it’s simple – not easy. But difficult is not impossible, and if your password is especially simple, or they watch you glance at a sticky note you’ve stuck somewhere to remember the password, the chance that they’ll successfully remember or find your password goes up. Remember, the best passwords are long and decently complicated!
DDoS stands for Distributed Denial of Service, and it’s usually used to mean that a website is pushed to its capacity limit and forcibly closed. It’s entirely possible to do this accidentally, and spikes in a website’s popularity can actually be more of a problem than a success!
What causes it?
The internet has been described as a series of tubes, a network of roads, and a whole host of other metaphors. At its most basic interpretation, a DDoS attack is like causing a traffic jam, or a clogged pipe, by sending or asking for so much data that the road lights stop working, or the valves have to shut. The server holding the website gets so many false requests for data that it can’t sort the legitimate ones from the weaponized ones, and everything slows to a crawl while it tries to catch up.
Different websites have different thresholds to reach before this becomes a problem, however, and this changes the way the attack is carried out. The resources needed to DDoS a site change depending on where the website’s infrastructure is weakest.
Modern Times
Websites allocate time, money, and resources differently depending on what they need. A website with a lot of far-flung servers may invest heavily in load balancing and firewalls, so someone attempting to DDoS them is going to have a heck of a time actually getting through that way. A video hosting website that’s recently switched to 4K is going to invest in more server space, so a SYN flood may be unsuccessful.
And then there’s small websites who sit somewhere in the middle – they don’t host a lot of videos, and nothing’s really demanding of bandwidth except their content library. These are the most vulnerable to DDoSing.
DDoS-ability is entirely based on the website’s resources. It would be nearly impossible to successfully DDoS Google, for example. They have the capacity to withstand a sudden influx of several million computers, all trying to access their services. That’s just a Friday night for them! However, if a celebrity posts a link to a home-run recipe blog, that blog’s about to come under heavy strain they might not have expected.
Forum websites like Digg and Reddit have a term for accidentally DDoSing a small website: the “Hug of Death”. So many users are directed from a cool post on the front page to the website that it crashes and loses service. This is DDoSing, even if it’s completely accidental. Sometimes popularity is the worst thing that can happen to a website! Repeat visits to a website tend to grow very slowly and are the result of a lot of hard work and careful ad placement. Insane success doesn’t happen overnight… until it does, and a DDoS event happens.
Malicious uses
DDoSing a site used to be a pretty popular way to harass a website creator or organization. It’s simple, it’s cheap, it’s effective, and it doesn’t take much to successfully DDoS the tiny sites that content creators make to separate themselves from things like BlogSpot or Wix.
There are multiple roads to get to the desired goal of a crash! One method is simply coordinating other users via social media to repeatedly ding a website til it starts slowing, and then crashing. This is the easiest, fastest method, but it requires a pre-existing platform to rally bad actors. This also happens accidentally all the time! Someone will point to a cool website and then crash it when their followers hit it too hard all at once.
Inhuman Causes
The second option is to create a botnet, a network of internet-accessible devices that can request access to a website. This sounds expensive, but the real secret is that the hacker’s using other people’s computers to carry out this kind of attack. They get their malicious software onto the machine by exploiting social engineering or poor network security, and then they send a command to the device to attempt to access the website they’re DDoSing.
People affected may notice their own computers slowing down because the command is taking up computing power! This method requires more programming knowledge than the other method, but it delivers a lot of power anonymously. However, identifying it as an actual DDoS attack and not a spike in popularity is easier. The visits come in unnatural waves that the website host will pick up on! Many hosting services offer analytics as an option to help website builders sell ads. Using it for DDoS data gathering is a natural extension!
However, assuming it’s done right, this kind of attack is the most difficult to ward off. This method includes things like ‘http floods’, which is what it sounds like – the http, or the hypertext transfer protocol, is flooded with requests to connect. SYN floods also fall into this category, but instead of the http, it’s the initial request for the website. Again, the website can’t tell who’s legit. The website can reroute traffic to a stopgap page or a black hole page (where the traffic is just told ‘there’s nothing here!’) to stop it, but it still gives the DDoSer the desired result – service is denied.
Location
DDoSing can attack the upstream and downstream of the site, too. One example is a DNS amplification attack, where the malicious user makes simple requests that take a lot of data to complete. The website can handle it, but the upstreams supplying the info requested might be forced to cut service to protect themselves. Protocol attacks aim to over-burden the firewall and load balancers of the site by repeatedly dinging them until they’re too busy and shut down. Both of these are easier to handle than http floods, but they’re still used today against unprepared and poorly written websites.
Botnets don’t have to be made entirely of high-powered user devices, like laptops or desktops. Internet of Things items can be used in a DDoS attack too! IoTs are usually poorly protected and have juuust enough power to request data from a website. They make perfect botnet fodder. Plus, it’s much harder to tell that a fridge has been hacked, so it tends to fly under the radar.
How to Stop it?
The best way for you to avoid being sucked into a botnet is the same security advice used against viruses. IoT items are computers too, and they should be treated with the same fear of viruses as PCs do! Don’t download sketchy things off sketchy sites, don’t click malicious attachments, etc. And for those IoT devices, change the default password! Use a password with your router that isn’t the factory default! This should keep your devices from being used in botnets without your knowledge.
As far as preventing an attack on your site, the answer is much more difficult.
Some websites defend against this by using something to check the request before actually allowing the request in. As mentioned above, AI will pick up on unnatural waves. Having a program in place to shut out the peaks of those waves can help. Real users will refresh the page and wait to be allowed in – bots may not. Some older websites use a form of this by routing new visitors to a ‘check’ page before allowing them access to the site; this confuses botnets, which may be expecting instant entry.
Also, be sure that firewalls and other web protections are up-to-date and running as they should be. This will keep out DDoS attacks relying on bugs and bad-faith data requests from being able to successfully deny service.
What does the future of work really look like? Unlock the full potential of cloud-based solutions.
Where the first initial lockdown, back in March last year had forced most companies into an abrupt digital setting, the two that have since followed only solidified this. This transformation has now manifested itself so that companies have become significantly, if not completely, reliant on remote, digital solutions to remain functional. As a result, the growing need for robust remote working solutions has surged, causing traditional and antiquated workplace solutions to fall by the wayside.
Embracing digital transformation and unified workplaces
The evolution of digital transformation has fast-tracked the online revolution, meaning elaborate predictions of future working are now not so distant. The boundaries between working from home and in the office are now completely blurred as we find ourselves marching through 2021. The need for physical office space now seems redundant as we can work just as we did before, if not better, from home and exceed productivity and collaboration standards.
A far stronger focus is now on the availability of IT tools as workforces rely on these methods of remote solutions to remain as collaborative with their colleagues as possible. For example, proprietary business communication platforms have completely revolutionised the way we communicate, collaborate and generally work as they dealt with the majority of the population pivoting to remote working. State of the art interactive, virtual meetings via a browser promotes efficient collaboration and strengthens the performance of organizations, while necessary commutes can be reduced or in some cases avoided.
What’s more, the capabilities to provide quality engagement between employer and employees is now of utmost priority. As we navigate a more digitized year than ever before, employees should be equipped with most efficient solutions that IT managers can source within minutes, instead of days or even weeks so that effective communication internally can also benefit.
This ‘future of working’ model can be achieved through introducing personalized digital workspaces accessed through a browser of any device, anywhere in the world. Perfectly suited to the new home and office split, innovative cloud technology enables organizations and their staff to access any of their applications hosted on-premise or in the cloud, as well as internal and external web applications instantly.
Understanding the challenges
The sudden pivot to mass remote working, however, has not been as smooth sailing as initially thought after all. For companies still operating in traditional virtual environments, remote working solutions often lack flexibility to include legacy or GPU intensive applications that are traditionally running on a desktop or on-premise solutions. Though, it is not too late to innovate and take the first step towards cloud-based technologies. It cannot be stressed enough that cloud computing is here to stay and can offer these types of businesses a life line before it’s too late and fall completely behind digital transformations and breakthroughs.
Additionally, let us not forget that the internet is no doubt a dangerous place. A world now mostly operating online, puts the traditional-based IT infused companies, even more at risk. In fact, there are several emerging cyber threats with an impact that have never been seen before. Due to existing Enterprise software protection solutions that are decades old and vulnerable, many businesses are left exposed and ‘easy’ to attack. And now, with the entire UK workforce being told to work from home, where possible, investing in secure and reliable solutions has never been so crucial for the online safety of not only a business, but its workforce.
Companies can look for intelligent cloud-based solutions that combine the benefits of streaming an online workplace effortlessly with complete trust in the solution to resolve exposure to hackers. For example, when using the cloud, client-to-site VPN connections are no longer required as a result of migrating systems to the cloud, meaning there is no point of attack for trojans. Furthermore, no end device within an organization will be able to access an application server as the direct communication between the user and the target system can be completely ruled out with cloud software.
Yet, it is all types and sizes that can be affected. Even multinational companies fall victim to cyber hacks, often involving over 1000 employees due to vulnerabilities in outdated architecture. Investing in state-of-the-art cloud solutions that include cyber insurance will become a new box to add to the IT checklist in 2021 and beyond.
What’s more, new cloud technologies have emerged and seen acceleration in adoption, thanks to the influx of home working such as Everything-as-a-Service (XaaS). This type of solution enables all IT services to be offered in the cloud for workforces as they work remotely. XaaS not only provides remote workers with advanced flexibility but ensures enhanced security due to it encompassing the likes of other solutions such as IaaS, PaaS and SaaS.
How cloud can help create the ‘anywhere office’ for the millennial workforce
Implementing an efficient cloud adoption strategy
If the multiple lockdowns have taught us one thing, it is that cloud adoption is no doubt proving to be one of the most efficient ways to secure and sustain the demands of a digital workforce. Now in 2021, we hope to reach some kind of normality as the dust will hopefully settle on the Covid-19 pandemic. Remote working is now here to stay and it will be up to business leaders to make sure they have the correct and most efficient cloud adoption strategy in place, for their employees. Armed with the right cloud solutions, businesses have the potential to simplify their IT ecosystems and procure solutions without committing to large upfront investments.
We’re Elixis Technology
In the ever-changing, technology-centric world we live in, it’s vital to have an I.T. solution source you can count on. At Elixis Technology, it is our mission to help businesses — big and small — produce the results their customers demand, with technology that actually works.
As businesses of the future evolve to be more digital and more shared, the need to prepare to avert a cyber pandemic – with potential even more than the coronavirus to upend our lives – has never been more urgent.
We need to strengthen our strategic response to the risks before we invest in tactics. Our plans must work harder and smarter to address capability gaps.
A common agenda will build the confidence and competence to achieve the resilience we need.
If humanity ever needed reminding of our interdependence, the pandemic has brought that home. As we scale up our response to the crisis, through largely digital means, our interconnectedness grows exponentially. And with it our vulnerability to the risk exposures of the virtual world. In fact, businesses of the future are evolving to be more digital and more shared. The need to prepare to avert a cyber pandemic – with potential even more than the coronavirus to upend our lives – has never been more urgent.
For a moment, let’s think of the unthinkable. A world without phones and internet, with idling trucks, trains and planes because fuel pumps and charging stations are incapacitated; banks shuttered; food supply chains broken; and emergency services made all but unavailable. This bleak vision would be inevitable if electricity supplies are cut off by a cyberattack.
In a scenario such as this, we know, that the ensuing swift blackout would be crippling. Unfortunately, we also know that a crisis of this scope, sophistication and impact is not just possible but something we are currently dealing with – albeit in a different context.
Global Technology Governance Report 2021
Last month, a group, believed to be Russian, gained access to over 18,000 systems – belonging to government and corporations – through a compromised update to SolarWinds’ Orion software. We were unprepared to prevent the attack because the bad actors slipped through the exact whitelisted software supply chain we trust. Even more regrettably, the software supply chain allowed them to access the network of FireEye – the US-based cybersecurity giant known for investigating and remedying some of the world’s most high-profile breaches.
While FireEye’s customers remained largely unimpacted this time, the moral of the story is that no one and nothing is immune. Our sources of cyber-protection – software updates or defending partners – can be the Trojan Horse where everything around us devolves into chaos.
Well before we learnt these tough lessons in the final weeks of a rather challenging 2020, the World Economic Forum questioned whether our individual and collective approach to managing cyber risks is sustainable in the face of the major technology trends taking place.
Although there’s an array of resources to manage cyberattacks, we still have a long way to go before we can, as a whole, effectively counter these threats. We need to strengthen our strategic response to the risks before we invest in tactics. Our plans must work harder and smarter to address capability gaps in three areas:
More coordination
Consider the SolarWinds attack. It did not directly hit its intended targets. Instead, the attackers surreptitiously built a chain of offence, that included non-government agencies, security and technology firms along with educational institutions, to inch unnoticed towards their real targets for espionage.
They knew they’d find their mark through our digital interconnectedness. We can turn this same intertwining of infrastructure to our advantage. Research tells us that hackers attack computers with Internet access—every 39 seconds on average. If we all shared threat intelligence, across borders, across the private and public sector, across industries and competitors, the collective intelligence could only move us forward faster.
An invaluable first step would be to develop more open systems, while adopting common standards and taxonomy in cybersecurity. This will serve us better to integrate and train our teams to drive holistic security. Global spending on cybersecurity solutions is projected to exceed $1 trillion cumulatively over the five-year period from 2017 to 2021. We must reprioritize these budgets to align with shared goals including collaborating to overpower organized cybercrime and the private-sector technology nexus with nation-state attackers.
More sophistication
The Global Risks Report 2020, articulated how the digital nature of the Fourth Industrial Revolution technologies is making our landscapes vulnerable to cyberattacks. For example, it is estimated that there are already over 21 billion IoT devices worldwide, slated to double by 2025. Attacks on IoT devices increased by more than 300% in the first half of 2019 alone.
The report, observes how “using ‘security-by-design’ principles to integrate cybersecurity features into new products continues to be secondary to getting products quickly out into the market.” Our current approach of bolt-on security needs to be reimagined to create stronger build-in standards, including SDLC-security quality certification, that makes software partners more accountable for security assurance. Along with this discipline in securing the supply chain as meticulously as we secure our products, we need better design architecture to tackle the challenges at hand.
More human capital
At the same pace that AI is growing useful in cyber defence, it is also enabling cybercriminals to use deep learning to breach security systems and harness data sets to improve response to defence.
While we can battle machine with machine, nurturing a strong pipeline cybersecurity talent, will give our defence an edge. We need better problem finders in greater numbers to work with our problem-solving machines. And this time, they need to be embedded in the complete lifecycle of our processes. Every person in the ecosystem must understand his or her role with respect to cybersecurity and be accountable to deliver to metrics and standards for cybersecurity quality. As of 2019, there were an estimated 2.8 million cybersecurity professionals worldwide, against a need for over 4 million.
If there is one lesson from dealing with the pandemic, it is the need to take each other along as we move forward into a more secure future. The very nature of a pandemic is such that no one is really safe unless everyone is safe. A cyber pandemic is no different. It is in shared trust and a common agenda that we can build the confidence and competence to achieve the resilience we need.
We’re Elixis Technology
In the ever-changing, technology-centric world we live in, it’s vital to have an I.T. solution source you can count on. At Elixis Technology, it is our mission to help businesses — big and small — produce the results their customers demand, with technology that actually works.
Vessels worldwide are now facing compliance with the International Maritime Organisation’s (IMO) cyber security requirements. In response, the International Maritime Security Associates (IMSA) has developed a suite of cyber security tools and services for the maritime industry.
The company has recently launched the capability to conduct basic shipboard network vulnerability assessments without sending personnel on board.
“This capability is necessary in today’s current COVID environment,” comments Corey Ranslem, CEO of IMSA. “We know it isn’t always easy, practical or cost effective to send people on board a vessel to conduct a cyber security assessment, so we’ve developed this amazing remote assessment tool. Through this tool, our cyber specialists can conduct a remote assessment at about half the cost of sending personnel on board. This tool helps our global clients with IMO 2021 cyber security compliance along with protecting passengers and crew.”
This tool is part of a larger suite of cyber security tools IMSA has developed to support vessels and maritime facilities with expanding their cyber security defences.
Some of these cyber security tools are part of the ARMS software platform. Through ARMS, IMSA can monitor a vessel’s critical systems and networks remotely in real-time through its SOC (Security Operations Centre). This capability protects vessels from real-time threats to IT, OT, and other critical network systems.
“IMSA is continually enhancing the levels of protection we provide our clients,” adds Ranslem. “Through ARMS and our 24/7 operations centre, we provide a variety of client-focused services to ensure the safety of your voyage and critical systems.”
We’re Elixis Technology
In the ever-changing, technology-centric world we live in, it’s vital to have an I.T. solution source you can count on. At Elixis Technology, it is our mission to help businesses — big and small — produce the results their customers demand, with technology that actually works.
Presenteeism has long been associated with working life in the city, viewed by many employers and employees as essential for getting known and getting ahead.
However, in response to the Covid-19 pandemic, businesses have had to cope with an abrupt move to mass remote working, in a way many never would have imagined feasible only a year ago. In many industries it has proved to be manageable. And, even before the pandemic, it was recognized that endorsing agile working was becoming a significant factor in driving forward a successful, modern business, capable of attracting and retaining top talent.
So will it endure?
Perhaps one of the biggest barriers to remote working has been trust; employers simply did not trust that people working from home were actually working, that service standards could be maintained, that confidential information would remain secure. Many of these issues have been dealt with by enforcing best practices around regular communication and updating and enforcing detailed home working policies.
And so, as and when we are allowed to return to work in the city, employers can no doubt expect many more employees to exercise their statutory right to request flexible working. Refusals are likely going to be much more closely scrutinized and potentially lead to formal grievances. Management and HR should be proactively planning their approach in advance.
Of course, remote working is not everyone’s preference and it has its downsides. It can be lonely and isolating, having a negative impact on employees’ mental health and workplace collaboration and diversity. In particular, junior employees can miss out on developing vital skills and a professional network.
Therefore, striking the right balance inevitably seems like the best way to future proof both businesses and individual career progression. In our view, it is not a question of if but when will we return to the city; but expect that most employees will not want to spend as much time there as they and we once did.
We’re Elixis Technology
In the ever-changing, technology-centric world we live in, it’s vital to have an I.T. solution source you can count on. At Elixis Technology, it is our mission to help businesses — big and small — produce the results their customers demand, with technology that actually works.
In recent years, flexible working has become synonymous with modern business management and a distinctive trademark for hip tech companies.
However, since COVID, it has become vital for most companies to adapt their work settings to social distance practices and to strive for a higher degree of digitalization.
In a matter of months, telecommuting, remote working, teleworking, working from home, working from anywhere, and flexible workplace have entered our vocabulary – and are very likely here to stay.
As we witness this epochal transition, employers and employees wonder, how should we come prepared to meet the inevitable challenges? Here is a to-do-list for all the companies that are considering going remote-first!
Organize the tools, systems, workflows
If you are approaching remote working for the first time, you should consider yourself very lucky! The technology that is available on software and on cloud nowadays is (in most cases) sufficient for you and your employers to keep constantly in touch and organize your streams of work in the most efficient way. So much so that several companies will never go back to now obsolete in-office work arrangements.
Examples of online tools that can make your work-from-home life easier include (among many others): video cloud-based communication software programmes, time and tasks management apps, corporate training platforms, cybersecurity toolkits.
Another important step to make remote working ‘work’ is to set clear roles and responsibilities among your co-workers or employees. As mentioned before, the appropriate online tools and a constant flow of communication between team members can help everyone understand what’s expected of them within the group.
A fixed hierarchy and clear tasks are particularly important in a remote working situation as they encourage your employees to take ownership for their work and their success (and, very importantly, to acknowledge their shortcomings).
Also setting up clear goals and KPI’s is important for a group that works from different places – and sometimes on a different schedule or even a different time zone. Check the next item on the list for advice on how to set KPI’s from a distance.
Review KPIs
Whatever the working arrangement, monitoring performances and detecting areas for improvement is key to success. In a remote working scenario, setting KPI’s becomes all the more important to measure whether your collective efforts are effectively being carried out.
Some simple advice for carrying out a performance assessment for out-of-office work includes:
Tracking milestones in relation to the final product (or intermediate versions) with an Agile Project Management process framework
Keep a steady flow of information by sharing feedback and notes
Use virtual boards and keep them updated, that should help keep you workers motivated
Ultimately, your employees should feel comforted by the fact that the workflow remains unaffected.
Start building a positive working culture
Positive attitude in the workplace is everything! Make sure to outline the advantages of a remote position to your employees. Remote working needs some adjustments but should never feel like a demotion or a punishment. Instead, it holds tangible advantages: when employees can manage their time autonomously, you reduce the risk of them contracting the virus, and they feel safer, more motivated and trusted.
Also, set out values that are important for both parties, such as defining free time slots, and prioritizing employees’ mental and physical needs. During quarantine and social distancing times, feelings of isolation and distress are very common. That is why building an effective and positive working culture includes finding the right work/life balance.
Check-in with your employees
Make your employees feel heard and seen – even if only via a computer screen! Make a habit of getting regular, virtual coffee breaks with them and meetings that aren’t strictly work-related.
Trust them with their tasks and make sure that they feel safe while performing their duties. Losing one’s job is a dreadful fear and can impact their performances. Plus, it can worsen an already aggravated mental state. It is in fact proven that a high level of economic anxiety has been generally registered during the pandemic. And this is not only true for people who are unemployed but also for those who are employed and in fear of being laid of.
We’re Elixis Technology
In the ever-changing, technology-centric world we live in, it’s vital to have an I.T. solution source you can count on. At Elixis Technology, it is our mission to help businesses — big and small — produce the results their customers demand, with technology that actually works.
Security professionals take three steps: threat detection, immediate action and long-term defence. All companies should look to do the same, no matter their industry.
During 2020, institutions of all kinds were forced to adapt to a dynamic world where the usual projections and five-year marketing plans did not apply. Economic reports show marked GDP reductions of greater than 20 per cent in many countries, with a continued decline into 2021. Businesses and workplaces will increasingly turn to models of work in dynamic fields – such as cybersecurity – to make them more resilient.
Organisations that emerge out of the pandemic and the ensuing economic turmoil will have spent 2020 continually adapting to previously unimagined circumstances. This is a very familiar environment for people working in security, and particularly cybersecurity because quite often we don’t know what the next couple of hours will look like. Businesses of all kinds will discover the need to adopt fluid models and frameworks developed in a dynamic field and use them to redirect money, personnel and resources rapidly.
Typically, most businesses rely on static, predictive data analysis for growth and sustainability. The study insights and information from the previous few weeks and base predictions on them. However, these statistics can be rendered virtually useless within the next hour. Instead, businesses must start using data as they get it, proactively seeking out problems that could pose danger – just as cybersecurity specialists do.
Many cybersecurity frameworks can be modified to suit businesses more broadly. One example is data orchestration – where information that has been siloed in various parts of an organisation is collated and made available for rapid analysis.
Another is the concept of common vulnerability exposures (CVEs). This is a standardised identifier for known vulnerabilities, such as a weakness in a certain kind of encryption or exposure such as a large data breach in the last two years. Lists of these are available for any organisation looking to improve its cybersecurity. A version of this approach for other industries – known issues with certain suppliers, for example – could be used to make all kinds of firms more resilient.
In cybersecurity, we often take a three-pronged approach: detect what the potential threat is; take immediate action to protect information; and establish long-term defences to systems, such as new kinds of encryption. Businesses will find that adopting these processes and tools – especially their emphasis on the early detection of potential threats and the sharing of information when necessary – will help future-proof operations.
Early adopters will be the winners here. Workplaces and organisations that embrace the reality of a dynamic environment, rather than yearning for static working and legacy business models, will outperform their competitors. In 2021, companies and institutions that adopt principles such as data orchestration and CVEs, will find they’re in a better position to survive.
We’re Elixis Technology
In the ever-changing, technology-centric world we live in, it’s vital to have an I.T. solution source you can count on. At Elixis Technology, it is our mission to help businesses — big and small — produce the results their customers demand, with technology that actually works.
