This week started off with the finding of malicious code injected into a dependency of a popular open source npm package. The attacker found an inactive library, volunteered to help with the project, and published a compromised version.

This incident was further relevant to the crypto community as the malware specifically targeted Copay libraries, which are used in several Bitcoin wallets. As we all know, crypto is a very attractive spot for hackers, given the large amount of funds involved and the complete lack of legal recourse for rolling back a transaction associated with a hack or theft.

This should come as no surprise. The state of the javascript ecosystem is well known to be fragile, and we have had our fair share of warnings . The wonderful world of open source collaboration has a dark side when it comes to ensuring the security of the code we pull from thousands of GitHub repositories on every project we write.

But one of the advantages we have as Ethereum developers is that we are starting anew. The Ethereum ecosystem is fresh and just starting to bloom. We can take our lessons learned and make sure the open source contracts code we share is vetted and secure.

One of the main reasons why we work on Ethereum is that it is a decentralized and programmable consensus platform. Smart contracts, as a decentralized programmable platform, allow us to foster particular behaviours in the users of the networks we build, based on the mechanics we code into them. As such, we can leverage Ethereum itself as the medium where we build the missing layer of trust around code dependencies.

On this network, trust in a package can be signalled explicitly by vouching value (in the form of tokens) behind trusted code. This way, due diligence performed by a user on a piece of code they depend on can be shared with the rest of the community. Maintainers can actively stand behind their own packages or withdraw their support as they move to other projects. And security experts can become naturally drawn to the most supported projects to analyze them― and can profit from their discoveries by reaping a fair share of the value staked.

These skin-in-the-game mechanics place an economic (and reputation) value on open source code. Through them, we envision a dependency ecosystem in which the most secure code bubbles to the top and end users can be confident of the dependencies they rely upon.

This is our goal at ZeppelinOS. We propose EVM packages as the standard unit of reusable code, where code resides on the blockchain itself as actual code developers can link, not as data. And we are building a layer of economic incentives, powered by the ZEP token , for developers to vouch for their packages and the packages of others they trust, creating incentives for security researchers to sign on the security of the code they review and profit from the ones they can break.

The wheels to build this ecosystem are already in motion. We are working together with over 100 developers and security researchers vouching for dozens of EVM packages, in the context of a private beta . During this time, we will be testing, iterating, and refining the network mechanics to build the secure pool of reusable smart contract libraries that is needed.

Once we have achieved that, we can go back to other development communities and share our learnings.

So, one day, you may be able to vouch for your favourite JavaScript package using ZEP.

"We are happy to have Check Point as a launch APN Partner integrating the CloudGuard IaaS solution with AWS Security Hub," said Dan Plastina, Vice President, Security Services, Amazon Web Services, Inc. "Check Point offers advanced threat prevention capabilities to AWS customers. The integration with support for AWS Security Hub makes it even easier for our shared customers to access and act on their cloud security insights."

MOUNTAIN VIEW, Calif. & AMSTERDAM (BUSINESS WIRE) Elastic N.V. (NYSE: ESTC), the company behind Elasticsearch and the

Elastic Stack, is pleased to recognize its customer, OmniSOC, has been

honored with a 2019 CSO50 Award from IDG’s CSO. This prestigious honor

is bestowed upon a select group of organizations that have demonstrated

that their security initiatives have created outstanding business value

and thought leadership.

Based at Indiana University, OmniSOC is the first higher education joint

cybersecurity operations center that brings together expertise and

resources from its founding five universities to reduce the time from

first awareness of a cybersecurity threat to mitigation. OmniSOC uses

the Elastic Stack as its security analytics platform, utilizing

Elasticsearch, Kibana, Beats, Logstash, and critical features like

security, alerting, and machine learning. The Elastic Stack ingests,

correlates, and analyzes vast quantities of information from thousands

of systems across all of its member institutions in order to detect

security breaches and cybersecurity threats. OmniSOC security engineers

then provide rapid, actionable intelligence back to its members so that

they can mitigate risks, close security gaps, and prevent future attacks.

“OmniSOC’s innovative use of the Elastic Stack to proactively hunt down

threats and malicious activity is a pioneering effort that will serve as

a model for security in higher education and beyond,” said Shay Banon,

founder and chief executive officer at Elastic. “We congratulate the

OmniSOC team for this well-deserved recognition from CSO.”

“Higher education faces a unique set of cybersecurity

challenges―securing hundreds of thousands of devices and tens of

thousands of students and faculty members in an economically efficient

way. The Elastic Stack gives us extremely fast access to the data we

need to protect our member universities,” said Tom Davis, OmniSOC

founding executive director and chief information security officer.

“We’re honored to be recognized by CSO for this innovative joint

cybersecurity initiative.”

“Amid the seemingly constant stream of news-making security breaches,

vulnerabilities introduced by new technologies and increased attention

from company boards, today’s security leaders have their plates more

than full,” said Amy Bennett, executive editor of CSO. “Our annual CSO50

awards shine a light on projects that enhance an organization’s security

posture and also deliver measurable ROI. We are pleased to give them the

recognition they deserve.”

About the CSO50 Awards

The CSO50 Awards recognizes 50 organizations for security projects and

initiatives that demonstrate outstanding business value and thought

leadership. The CSO50 Awards are scored according to a uniform set of

criteria by a panel of judges that includes security leaders and

industry experts. The 2019 awards will be presented at the CSO50

Conference + Awards, April 8-10, 2019, at the Talking Stick Resort,

Scottsdale, Arizona.

About Elastic

Elastic is a search company. As the creators of the Elastic Stack

(Elasticsearch, Kibana, Beats, and Logstash), Elastic builds

self-managed and SaaS offerings that make data usable in real time and

at scale for search, logging, security, and analytics use cases. Elastic

is a distributed company with Elasticians working in countries around

the world. Learn more at elastic.co .

Elastic and associated marks are trademarks or registered

trademarks of Elastic N.V. and its subsidiaries. All other company and

product names may be trademarks of their respective owners.

Contacts

Deborah Wiltshire

Elastic

Back into the workshop mode, this time for what I think is an interesting one, not just from the tech perspective but broader IT and business use. AWS Landing Zone helps you more quickly set up a secure, multi-account AWS environment based on AWS best practices. AWS obviously has a large number of options, so setting up an account can take some time. AWS Landing Zones is deployed into an AWS Organisations account.

If you’re initially thinking, “well, so what, we don’t set up AWS accounts that often, in fact we only have one or two for our organisation”. You may want to have another think about that.

AWS initially suggested keeping AWS account numbers simple, don’t have many, even one was fine or perhaps one for PROD and one for DEV. AWS now wants you to think of AWS accounts as single tenant homes. This could mean distinct AWS accounts for each department or even each application. How about each environment of an application being a separate AWS account? Why on earth would you do that? Well, compartmentalising applications is a good idea for a number of reasons. Billing is one, you can simply know exactly what each environment for each application costs rather than having to work through the crazy complicated AWS billing. You can identify data transfer costs per account which is something you can’t do with tags and billing. When you migrate to a new application you can cleanly shut down the old one by deleting the account. Multiple accounts are useful if you need administrative isolation between workloads or want to minimise your blast radius so an issue in one account is minimised especially from a security perspective. You can use service limits per account and also reserved instances are per account.

As with Microsoft Active Directly Organisation Units, AWS Organisational Units can be sliced and diced in any way you choose. You could chose to have AWS OUs based on business units, projects, locations or environments or a mixture of some or all. Could be a nightmare to manage. AWS Landing Zone is meant to help with all this with an automated solution.

The workshop went through building a Landing Zone which starts with a baseline environment with four core accounts and resources and an Account Vending Machine which uses a ServiceCatalog so users can create new accounts without needing to be admins.

This wasn’t as hands on as other workshops as the actual Landing Zone takes 2 hours to deploy. We registered and received a login to a pre-baked Landing Zone environment,it was all there so we could have a good look around. Would have been nicer to have some more tasks to do to create further accounts for example.

AWS Landing Zone is deployed into a central AWS Organisations account which is then used to create and financially manage other member accounts. This account has an S3 bucket, a CodePipeline, account configuration StackSets, AWS Organisations Service Control Policies (SCPs), and SSO configuration. Here are the accounts created:

The Shared Services account is a reference account for infrastructure shared services such as directory services. This account starts within an AWS Managed Active Directory for AWS SSO integration. This runs in a shared VPC which can be peered with new member AWS accounts created with the Account Vending Machine. I would think you would deploy multiple shared services accounts for centralised application logging, monitoring, backups, deployments sources etc.

The Log Archive account contains a central Amazon S3 bucket for storing copies of all AWS CloudTrail and AWS Config log files.

There are a lot of CloudFormation stacks which are automatically created by this with loads of baseline security settings like RDS encryption, default VPC deleted, disable deleting CloudWatch Logs etc. AWS Config had a Dashboard which you can see from any of the resources any noncompliant rules so for example we had an alert that MFA wasn’t enabled. as we used SSO (via on-prem AD), it was easily to jump between all the different accounts. We looked into the Security account and can see the S3 bucket with all the access logs from all accounts in the same place, all encrypted.

The AVM is what you use to create additional accounts. It’s a Service Catalog Product preconfigured with a security baseline and a predefined network. We went on to the idea of modifying the default deploy code for custom deployments which uses a CI/CD pipeline. This is then all infrastructure as code.

We then had a custom account template which could be launched by users to create their own AWS account on demand.

This was a useful workshop and gave me some concrete technical steps to achieve what I’ve been working through my head which is how to automate enterprise account infrastructure in a continuous deployment model.

This has bigger ramifications than just the account creation process but ongoing management of your cloud(s). If your Singapore team needs to install a new domain controller, how do you manage the security groups and other firewall rules for all your accounts to be able to talk to it? You decide to change your logging destination or standards for all applications, how do you centrally push out this config to so many accounts. Being able to use Infrastructure as Code to deploy and more importantly keep up to date and audit a whole new account which has all the compliance, security, app standards, everything is super useful. Third-party vendors can plug into this so if you’re sending your logs to another service not run by AWS, they could provide the code to extend your accounts to use this system, put it into CodePipeline and you’re extended. The days of connecting to multiple AWS accounts to make similar changes are thankfully coming to an end.

I had to run off a little early to head to another hotel to be in time for the next workshop.

PALO ALTO, Calif. (BUSINESS WIRE) #CyberSecurity Menlo Security today announced it has been named by Gartner Inc. to the

Visionaries quadrant of the 2018 Gartner Magic Quadrant for Secure Web

Gateways. Menlo believes its innovative isolation-based approach to

secure web gateways and enterprise security stands uniquely apart from

competitors’ detection-based SWG solutions.

Menlo Security’s Isolation-Based SWG prevents advanced web-born

threats and sophisticated phishing attacks with a cloud-based service

that processes more than a billion web requests per day and protects

millions of users worldwide.

Rather than detecting threats at the gateway or endpoint, the Menlo

Security Isolation Platform acts as a digital partition in the cloud,

first isolating and executing all web content with an always-on pool of

isolated web browsers, then streaming clean, malware-free visual content

to employees’ web browsers while simultaneously warning them against

phishing scams at time of click.

“Legacy SWGs fail at completely stopping malware attacks, making

infections via web and email content an everyday reality for their

enterprise customers. We have a once-in-a-generation opportunity to

transform the SWG market,” said Amir Ben-Efraim, CEO of Menlo Security.

“Our laser focus on efficacy against malware delivers dramatic results,

completely eliminating malware via our new isolation-based SWG. Our

platform is deployed with many G2000 customers across the world, and our

cloud makes it easy for new customers to experience these benefits

firsthand.“

Menlo Security was founded to solve the fundamental problem that

detection-based security technology is no longer effective against

modern malware and advanced phishing attacks. The company chose to

re-define the Secure Web Gateway market with its patented

isolation-basedapproach, delivering a seamless, native user experience

with the 100 percent security guarantee of fully isolated files and web

sessions.

“No other vendor is re-imagining the full set of SWG capabilities using

isolation as its core approach,” continued Amir Ben-Efraim. “Menlo

Security sees its debut in the Gartner Magic Quadrant as a reflection of

the markets growing need for a solution that provides 100 percent

malware prevention.”

More details about the Gartner Magic Quadrant for Secure Web Gateways

can be found at: https://info.menlosecurity.com/Gartner-MQ.html .

More Resources

Gartner, Magic Quadrant for Secure Web Gateways, Lawrence Orans, Peter

Firstbrook, 26 November 2018.

About Menlo Security

Menlo Security protects organizations from cyberattacks by eliminating

the threat of malware from the web, documents and email. Menlo

Security’s cloud-based Isolation platform scales to provide

comprehensive protection across enterprises of any size, without

requiring endpoint software or impacting the end user-experience. Menlo

Security is trusted by major global businesses, including Fortune 500

companies and financial services institutions, and backed by General

Catalyst, Sutter Hill Ventures, Engineering Capital, Osage University

Partners, American Express Ventures, Ericsson Ventures, HSBC and JP

Morgan Chase. Menlo Security is headquartered in Palo Alto, California.

For more information, visit https://www.menlosecurity.com

or @menlosecurity.

Contacts

Renee Newby Friedman

James Baxley III

On Monday morning news broke of a security vulnerability that impacted the javascript ecosystem at large. A popular dependency called event-stream was discovered to have been compromised. The package, when installed alongside a bitcoin wallet tool called copay or copay-dash , would attempt to siphon and steal bitcoins from users.

We determined that the vscode package that we use to build the Apollo VS Code editor extension was installing event-stream . We locked our versions down to a previous safe version and uploaded a release to the VS Code Marketplace.

We received reports of the editor extension being removed from the marketplace and flagged as malicious. Our team reached out to the VS Code team to ask what was happening and why were flagged.

The prior night, the VS Code team removed 38 extensions that depended on the vscode or other related projects that brought the compromised package into builds. After receiving our message on Tuesday, they responded to our team letting us know they were reviewing our new build.

The VS Code team let us know that our changes were sufficient and that the Apollo VS Code extension was published back onto the marketplace.

Due to the way VS Code extensions are installed, there is only a small chance that the vulnerability would have had any impact, however it is worth checking your machine to make sure that version of the package doesn’t exist. Lauren Elizabeth Tan put together a great tweet thread of steps to take:

At JumpCloud , we’re hoping to change that. Join us in our upcoming webinar on December 5 as we demo new policies for managing FileVault and BitLocker at this one-time webinar event.

Join George Wagner, Senior Product Marketing Manager at JumpCloud, as he discusses FDE and how you can enforce it across heterogeneous IT environments.

What You’ll Learn:

In addition, there will be the opportunity to ask questions at the end of the webinar.

(This article was first published on R scottishsnow , and kindly contributed toR-bloggers)

I’ve been working with the Scottish census recently, to investigate employment in land-based (agriculture, forestry and fishing) industry. A friend of mine has recently moved to Dumfries and Galloway a rural, farming area of Scotland. He’s commented on the ageing population in the area, so I pulled out the age profile from the census for his civil parish . This post shows how to plot up an age profile from the Scottish census table KS102SC, which is available online .

First up, let’s load our packages and read in the table. Note I’ve skipped the first few header lines and have coded to NA. In reality are actually 0s, so I’ve used `mutate_all` to fix them.

Next we can select the parish of interest, select the columns we’re interested in, convert these to long format, and force the ordering of the ages (e.g. 8-10 should come before 10-14). I’ve piped the output of this munging into ggplot and added some styling and an all important licence statement.

It’s also of interest to compare one parish against another, so I compared Dalton against Edinburgh. Basically as before but adding an extra point layer for the visualisation. The data have now been changed to proportions of each parish so they are comparable.

Finally, we can compare distributions for the whole of Scotland against Edinburgh and Dalton using boxplots. I can imagine a beautiful plot with density polygons showing the national data, but I don’t have time to figure it out now!

x = df %>% select(-`Mean age`, -`Median age`, -X21) %>% mutate_at(vars(-X1), funs(prop = . / `All people`)) %>% select(-`All people_prop`) %>% select(X1, ends_with("prop")) %>% gather(key, value, -X1) %>% separate(key, c("key", "drop"), "_") %>% mutate(key = reorder(key, seq_along(key))) x %>% filter(X1!="Scotland") %>% ggplot(aes(key, value)) + geom_boxplot(colour="grey50") + geom_point(data=filter(x, X1=="Dalton"), aes(key, value), colour="purple4", shape=4, stroke=2, show.legend=T) + geom_point(data=filter(x, X1=="Edinburgh"), aes(key, value), colour="darkorange2", shape=2, stroke=1.5, show.legend=T) + scale_y_continuous(labels=scales::percent) + labs(title="Dalton parish (purple crosses) and Edinburgh (orange triangles)\nover Scotland's population distribution", subtitle="Contains: Scotland's Census data and Scottish Government data\nlicensed under the Open Government Licence v3.0", x="", y="People") + coord_flip() + theme_bw() + theme(text=element_text(size=20), plot.subtitle=element_text(size=10))

The OpenSSL Management Committee has been looking at the versioning scheme that is currently in use. Over the years we’ve received plenty of feedback about the “uniqueness” of this scheme, and it does cause some confusion for some users. We would like to adopt a more typical version numbering approach.

The current versioning scheme has this format:

The new scheme will have this format:

MAJOR.MINOR.PATCH

In practical terms our “letter” patch releases become patch numbers and “fix” is dropped from the concept. In future, API/ABI compatibility will only be guaranteed for the same MAJOR version number. Previously we guaranteed API/ABI compatibility across the same MAJOR.MINOR combination. This more closely aligns with the expectations of users who are familiar with semantic versioning. We are not at this stage directly adopting semantic versioning because it would mean changing our current LTS policies and practices.

The current 1.1.1 and 1.0.2 versioning scheme will remain unchanged.

The current development version (master branch) will be identified as version 3.0.0. The OpenSSL FIPS module currently under development will also follow this versioning scheme. We are skipping the 2.0.0 major version because the previous OpenSSL FIPS module has already used this number.

OpenSSL version 3.0.0 will be the first version that we release under the Apache License 2.0. We will not be applying the Apache License to earlier releases of OpenSSL.

OCSP Must-Staple; Revocation Solution

kdobieski

Wed, 11/28/2018 10:23

OCSP Must-Staple

Setting up OCSP Must-Staple is fairly easy as it’s simply a flag that needs to be set by your CA in the certificate they generate for you. This flag instructs the browser that the certificate must be served with a valid OCSP response or the browser should hard fail on the connection. How you obtain your certificates will depend on how you set the OCSP must-staple flag but if you followed my previous guide on Getting started with Let’s Encrypt then it’s really easy. First of all you need to edit the OpenSSL config file used to generate your CSR.

nano openssl .cnf

Next, find the section where you set your req_extensions, for me I call it v3_req.

req_extensions = v3_req

This section will contain other details including your SAN.

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names

To setup OCSP Must-Staple all you need to do is add the following line.

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names

1.3.6.1.5.5.7.1.24 = DER:30:03:02:01:05

Don’t worry too much about the details here, but if you do want to know then 1.3.6.1.5.5.7.1 is the object identifier for SMI Security for PKIX Certificate Extension and 24 is the id assigned to RFC 7633 . After the = is the ASN.1 DER encoding of the Features structure, or the value 5 to you and I. If you’re using OpenSSL 1.1.0 or higher then you can specify this extension in a much prettier way, check the update at the bottom of the article. With that aside, you’re ready to regenerate your CSR.

openssl req new -key private .key out scotthelme.csr -config openssl.cnf -sha256

With this you can now call your renewal script or call acme_tiny (or which ever Let’s Encrypt client you’re using) to get a new certificate that will contain the OCSP must-staple extension.

./home/acme/renew.sh

Checking for OCSP must-staple

The easiest way to check if you’re new certificates are properly flagged as OCSP Must-Staple is with the awesome SSL Labs test built by Ivan Ristic . A quick scan will tell you exactly what you need, just look in the Authentication section of the report.

You can also do this from the command line before you try to use the certificates by checking both the CSR and the signed certificate you obtain. To check your certificate use the following command.

openssl x509 in signed .crt -noout -text

In the output you’re looking for the x509v3 extensions section and specifically 1.3.6.1.5.5.7.1.24 which is what we created earlier.

X509v3 extensions :

X509v3 Subject Alternative Name :

DNS:scotthelme.co.uk, DNS :www.scotthelme.co.uk

1.3.6.1.5.5.7.1.24:

0….

It’s the same approach for the CSR with a change on the command to use req instead of x509 and the appropriate CSR file.

openssl req in scott.csr -noout -text

In the output from the CSR you’re looking for the exact same thing as above in the certificate.

Revocation checking that’s reliable

The big problem that we had with revocation checking was that we couldn’t rely on it. CRLs were bad, OCSP endpoints were unreliable and stapling helped but we didn’t know if the site supported it. Now we do. In the event of a compromise or any other scenario where you find yourself needing to revoke your certificate you can be confident that when the client receives your certificate in a connection it will be forced to check for a stapled OCSP response. This offers a huge level of protection and reduces the potential time an attacker can abuse a compromised certificate from the maximum life of the certificate, which could be up to 39 months, down to the maximum life of the last valid OCSP response, which could be a few hours.

It’s not perfect but OCSP must-staple presents the first opportunity for us to rely on revocation actually working. There are some concerns about depending on your CA to deliver you a valid OCSP response to serve and the implementation of OCSP stapling in web servers could do with a little work too. I’m publishing another blog this week about a mechanism similar to CSP/HPKP reporting called OCSP Expect-Staple where the browser will report back if it doesn’t receive a valid OCSP staple. Check back in a few days.

Update 14th Feb 2017

If you’re using OpenSSL 1.1.0 or higher then there is a slightly nicer way of specifying the Must-Staple flag as pointed out by Rob in the comments below. Check your version of OpenSSL before using this:

openssl version

OpenSSL1.1.0c 10 Nov 2016

If your version is 1.1.0 or higher you can place the following in your openssl.cnf file instead.

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names

tlsfeature = status_request

This post originally appeared on https://scotthelme.co.uk

Featured Blogger: Scott Helme

Revocation checking is broken and has been for some time. Whilst some vendors have sort of worked around this with proprietary solutions, there is little that the smaller sites can do. OCSP M ust- S taple to the rescue!

Re v ocation checking

In the early days of the web we had Certificate Revocation Lists, or CRLs. These were lists of all certificates that a CA had revoked and could be downloaded by a client to check if the certificate they were served had been revoked. These lists didn’t scale and eventually downloading these large files became a problem, thus the Online Certificate Status Protocol, or OCSP, was born. Instead of the client downloading a list of all revoked certificates, they would submit a request to the CA to check the status of the specific certificate they had received. Sadly OCSP was riddled with problems like poor CA infrastructure being unavailable and the privacy concern of clients leaking the site they were visiting to the CA. To get around this problem OCSP Stapling was created. Instead of the client making the OCSP request to the CA, the host website would make the request and ‘staple’ the response to the certificate when they served it. Because the OCSP response is short lived and digitally signed by the CA, the client can trust the stapled OCSP response. The final problem was that the client had no idea that the site in question supports OCSP and whether or not it should expect them to staple an OCSP response. Thus, we finally arrived at OCSP Must-Staple.

Read more in Machine Identity Protection for Dummies.

Explore now.

Recent Articles By Author

How Policies Prevent Peril for Machine Identities Why Banks Should Encrypt for Security Rather than Compliance What Happens If You Lose Your Key In an Encrypted Blockchain?

*** This is a Security Bloggers Network syndicated blog from Rss blog authored bykdobieski. Read the original post at: https://www.venafi.com/blog/ocsp-must-staple

Leading hospitality company Choice Hotels, other global enterprises rely on the Delphix DataOps platform leveraging Amazon Relational Database Service to quickly, securely migrate data to the cloud, fuel mission-critical digital transformation initiatives

LAS VEGAS, Nev. @ AWS re:Invent 2018, November 28, 2018 Delphix , the company accelerating innovation through DataOps, today announced the availability of the Delphix Dynamic Data Platform (DDDP) leveraging Amazon Relational Database Service (Amazon RDS). Building on the long-standing relationship between Delphix and Amazon Web Services, Inc. (AWS), this innovative solution will provide cloud development teams at global enterprises with the fast, secure data they need to bring cloud-native applications to market with the speed required to win in today’s digital economy.

According to PWC’s 2018 “ Innovation Benchmark ” report, nearly three-quarters of businesses say they are being out-innovated by competitors. Applications are rapidly becoming more complex, intelligent, and data-intensive, leaving companies struggling with legacy data infrastructure, unable to use it to deliver innovation that keeps pace with ever-changing consumer demands.

Development teams need easy access to data in on-demand cloud environments, but operations are mired in manual tasks like database provisioning and data redaction forcing development teams to wait days or weeks for data. As these organizations migrate more workloads to the cloud, they are faced with the painful reality that their data can’t move at the speed enabled by the cloud. The explosion of demand required to support a data-driven enterprise creates intense friction with the ever-increasing cost, complexity, and risk of managing, distributing, and securing that data.

Amazon RDS was created to simplify this process, enabling teams to quickly and easily create new production environments, as needed, in a scalable and manageable manner. The Delphix Dynamic Data Platform was created to allow for ready access to data in non-production development and test environments so teams can move faster at lower cost, without compromising data privacy. This powerful combination gives customers a solution that will help them deliver continuous innovation to the market quickly and securely, at a fraction of the time and cost.

“Many of our customers trust Amazon RDS to manage their databases at scale,” said Anurag Gupta, Vice President, Analytics, Aurora, and RDS, Amazon Web Services, Inc. “By working with Delphix, we can not only make database management easier for enterprises, but also provide the performance enhancements these organizations need to accelerate mission-critical initiatives and win in their respective markets.”

As part of today’s announcement, the Delphix platform on Amazon RDS offers:

“Digital transformation initiatives are being undertaken by enterprises to deliver innovative, new experiences to customers faster than ever before. This increased rate of application refresh places dramatically more pressure on developers and the development process,” said Al Gillen, group VP, Software Development and Open Source, IDC.“With the Delphix DataOps platform on Amazon RDS, companies now have a new target platform to host data for development and testing, reducing friction to help development teams accelerate delivery of next-generation applications.”

“As we look to shift more and more workloads to the cloud to bring greater efficiency and agility to our business, governance and managing data for modern software development lifecycles has becomeone ofour top issues as we fully adopt cloud,” said Nick Suwyn, Principal Systems Engineer at Choice Hotels. “The Delphix platformminimizes security concerns and provides automated data environments in the cloud to drive software innovation faster and faster each day.”

In use by nearly one-half of the Fortune 50, Delphix is deplyed by some of the largest brands in the world to fuel and accelerate mission-critical transformation initiatives. By opening up the flow of data, the Delphix platform works with Amazon RDS to help enable the creation of secure data environments in just minutes . What’s more, the ability to automate data environment provisioning is at the heart of a DataOps approach that has accelerated both software development and cloud migration projects. Fast gaining momentum in the market, DataOps was recently identified as the latest “Innovation Trigger” in three Gartner “Hype Cycles” for 2018 (Data Management, Enterprise IT Management, and Data Security) and is expected to achieve mainstream adoption in five years.

“Data is a major impediment to achieving the speed needed to win in today’s digital economy,” said Chris Cook, CEO, Delphix. “Building on our long-standing relationship with AWS, Delphix on Amazon RDS helps secure data on AWS to enable more enterprises to accelerate innovation, move to the cloud, and lead their respective markets.”

Delphix’s mission is to free companies from data friction and accelerate innovation. Fortune 100 companies use the Delphix Dynamic Data Platform to connect, virtualize, secure, and manage data in hybrid cloud environments. For more information visit www.delphix.com .

Follow Delphix on Twitter , Facebook , and LinkedIn .

Sponsored Content

Featured eBook

Automation: Modernizing the Mainframe for DevOps

Most of us have always lived in a world where Mainframes did the bulk of the data processing. Introduced for commercial use in the 1950s, Mainframes have seemingly been around to do the heavy lifting. Even IBM’s “New” z Series is nearly two decades old (though, of course, the technology ...Read More

Hardware giant Dell announced today a security breach that took place earlier this month, on November 9.

Dell says it detected an unauthorized intruder (or intruders) "attempting to extract Dell.com customer information" from its systems, such as customer names, email addresses, and hashed passwords.

The company didn't go into details about the complexity of the password hashing algorithm. Some of these --such as MD5-- can be broken within seconds to reveal the plaintext password.

"Though it is possible some of this information was removed from Dell's network, our investigations found no conclusive evidence that any was extracted," Dell said today in a press release .

The company also said hackers didn't target payment card or any other sensitive customer information, and that the incident didn't cause a disruption of its normal services at the time of the breach or after.

After announcing the incident today, Dell initiated a password reset for all Dell.com customer accounts.

The company said it notified law enforcement, and also hired a digital forensics firm to perform an independent investigation.

Based on currently revealed details, Dell appears to have exposed very little information associated with its official website, where most users come to shop official products or have discussions on its official support forums.

While Dell has downplayed the incident's impact, it is worth mentioning that many breached companies amend these initial revelations as their investigations advance.

Besides resetting passwords, Dell.com users should manually review what information they've stored in their respective accounts. In case they've saved financial information, they should keep an eye on card statements, to be on the safe side.

Organizations have placed a significant focus on filling cybersecurity positions, seeking professionals with the right background to address technical security tasks and facilitate the success of broader business goals.

As cybercriminals continue to develop sophisticated attacks and business leaders aim to drive digital transformation efforts forward, a well-equipped security team is essential to the success of an organization. Together, these two trends have changed the skills and abilities that CISOs and other executives seek when hiring security talent.

Similar to the changes happening at the CISO level, which is now taking on a business enablement role, we are now seeing a shift occur for those seeking Security Architect positions.

The role of Security Architect, who is tasked with building security infrastructures that not only responds to but can also anticipate threats, has traditionally drawn applicants that demonstrate hard, tactical skillsets. However, CISOs are increasingly focusing on candidates that share a balanced mix of hard and soft skills, as indicated by a recent Fortinet study.

Cybersecurity is an extremely competitive field due to the cyberskills shortage , an issue that goes beyond a lack of incoming talent but also encompasses those in the field without the skills necessary to meet today’s specific needs. To this end, the Security Architect Skill Gap Report illuminates the information needed to minimize the impact of this skills shortage. This is done by providing CISOs with the data and context needed to hone their recruiting process for Security Architects while demonstrating how applicants must adapt to evolving business requirements.

As CISOs aim to build out their security teams with professionals who can combat modern cyberattacks and secure their digital transformation efforts, they seek a variety of hard and soft skills that highlight strategy and analysis in addition to traditional design and configuration abilities. While these requirements may vary across organizations based on specific needs, there are a few trends worth noting.

CISOs require candidates to be proficient in risk management and security standards, as well as an understanding of business goals and how they will translate into security practices. These types of skills were mentioned more often in Security Architect job ads than tactical abilities such as encryption, firewalls, or security controls.

This is indicative of the need to focus on security in conjunction with business enablement. However, this does not mean that CISOs have stopped looking for technical skills and experience with specific systems altogether.

Among the top hard skillsets that organizations are looking for in Security Architect applicants include:

As security teams play a greater role in business enablement, CISOs also seek candidates with demonstrated

abilities in the soft skillsets necessary to collaborate and strategize across lines of business. The data shows that the soft skills referenced in Security Architect job ads and responding resumes typically fall into four categories:

The data indicates that CISOs are now looking for candidates that are comfortable shifting between strategic and tactical tasks. For example, preparing for or responding to a security incident without ignoring important ongoing strategic tasks such as conducting risk assessments or defining secure approaches for cloud adoption.

In addition to hard and soft skills, there are several other qualifications that are factored in when evaluating applicants for today’s Security Architect positions. Two of these considerations are education/certifications and career tenure.

Typically, organizations request that Security Architects have a bachelor’s degree, and do not necessarily look for higher forms of education. Employers also often request on average two certifications, which may be in practices applicable to the specific needs of the positions.

Career tenure is another consideration in the hiring process. Many applicants for Security Architect positions are considered mid-career, having been in the workforce for an average of 18.8 years. The data also shows that job hopping remains an issue as personnel poaching grows in response the growing skills gap, with the average candidate having 1.8 jobs over the last two years. This shows that CISOs must be strategic in their retention strategies in such a high-demand industry.

This data, revealed through analysis of thousands of job ads and responding resumes for Security Architect positions, also uncovered discrepancies between the skills CISOs are searching for and how prospective candidates market themselves in resumes and cover letters. This occurs for both hard and soft skills.

Rather than focusing on strategic skills such as risk management, applicants tend to only emphasis the specific technology and systems they are familiar with, such as experience with SQL, Oracle, or VPNs. Additionally, applicants often call out familiarity with industry standards, such as ISO and NIST, but don’t provide evidence of the strategies used to apply the knowledge in their jobs. In fact, fewer than half of applicants include strategic skills on their resumes.

While many applicants emphasize leadership capabilities, they often under-represent other crucial soft skills. Applicants commonly include leadership and planning on their resumes thinking that is what prospective employers want to see most for soft skills. However, in addition to these skills, most employers frequently include analytical and communication skills as key requirements in their job listings.

Final Thoughts

Security roles are evolving, moving from tactical to strategic business enablement positions. This means that CISOs looking to fill these positions, as well as applicants seeking to be hired, must adjust how they present their requirements and qualifications.

Security Architect applicants must be sure to include their soft skillsets on their resumes. Additionally, when it comes to showcasing hard skillsets, they must incorporate strategic abilities in addition to mentioning tactical skills in specific systems.

11月16日，在特朗普签署在美国国土安全部内成立新局级网络安全机构的《网络安全与基础设施安全局法案（Cybersecurity and Infrastructure Security Agency Act）》后不久，美国国土安全部长吉尔斯滕.尼尔森（Kirstjen Nielson）在美国商会的活动上指出，当前网络威胁领域出现了需要美国政府和各行业重新思考风险管理实践的四个变化趋势：国家力量对美国关键基础设施的蓄意攻击；像NotPetya勒索软件那样的网络攻击有能力影响和损害不同行业；通过资产和组织，而非关键职能的角度来看待风险管理；认识到弹性比阻止攻击或入侵更重要。因此，国土安全部新成立的网络安全与基础设施安全局的未来工作将聚焦于确定各关键基础设施部门的国家关键职能（National Critical Functions）和改变美国全球供应链运营及采购的理念和实践等长期性计划。

尼尔森表示，网络安全与基础设施安全局新设的国家风险管理中心（National Center for Risk Management）当前最重要的任务是与各关键基础设施部门合作，形成关键基础设施的职能列表。该中心主管鲍勃.科拉斯基（Bob Kolasky）指出，对关键基础设施职能的全面核算可能需要耗费数年时间，但网络安全与基础设施安全局希望在近期拿到一份可行列表，以满足其开展分析及其他计划的需求。

网络安全与基础设施安全局局长克里斯.克雷布斯（Chris Krebs）指出，美国关键基础设施职能列表将在今年年底完成，而后国家风险管理中心将与跨部门合作方共同分析并对这个列表进行优先级排序，以此确定下一步工作的优先处理事宜。具备更完善风险档案（Risk profiles）的部门可能会被排在优先位置。国家风险管理中心还成立了一个关注电信、金融和能源行业的三方理事会。

11月16日，国土安全部还公布了其供应链特别工作组（Supply Chain Task Force）的60个成员名单。在美国政府这一方，将包括来自国土安全部、国防部、财政部、司法部、美国政府总务署（GSA）、国家情报总监办公室（ODNI）和社会保障署（Social Security Administration）的代表。在私营部门这一方，将包括26个主要的科技企业和行业协会，其中包括AT&T、Verizon、英特尔、微软、网络安全联合体（Cybersecurity Coalition）、FireEye和信息技术信息共享与分析中心（Information TechnologyInformation Sharing and Analysis Center）等。

尼尔森还敦促私营部门加入国土安全部的“自动化指标共享（Automated Indicator Sharing）”等信息共享项目，外界对于这类项目曾提出了若干不满意见，例如认为国土安全部所共享的大部分数据无用或缺乏行动指引，尼尔森表示国土安全部希望改变这样的情况。

声明：本文来自国际安全简报，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

Australia's move towards a digital government should be more of an integrated effort and should not be restricted in silos, a cyber security expert says, expressing scepticism about the ideas put forward by recently by Human Services and Digital Transformation Minister Michael Keenan.

Fergus Hanson, head of International Cyber Policy Centre at the lobby group Australian Strategic Policy Institute, said it would be better to have co-ordination between the three levels of government - local, state and federal - rather than provide digital services in little silos.

This was much better, both in terms of cost and security, as there would not be a single target for attackers, he pointed out. And it would avoid that great bugbear of public service: duplication.

Last week, Keenan announced that the Federal Government would make all services, with which citizens have to interact, accessible online by 2025.

Hanson will release a new report in Brisbane on Friday, titled Introducing Integrated e-government in Australia, in conjunction with the Australian Computer Society.

He said it would be better to have services at various levels, as in Estonia, that could access a central authority when needed. This way, there would be no duplication.

Hanson pointed to digital identity as a classic case of duplication. At the moment, Australia has two systems for identity verification ― the Australia Post system known as Digital iD and the DTA-managed GovPass ― neither of which was governed by dedicated legislation.

In a paper for ASPI, he said : "The government is now building two digital identity schemes that will compete against each other. The first, which is already operational, was built by Australia Post at a cost of $30 50 million and is known as Digital iD.

"The second scheme, GovPass, secured $92.4 million in the 2018 19 Budget to create the infrastructure that will underpin it and fund its initial rollout.

"Neither GovPass nor Digital iD is governed by dedicated legislation, beyond existing laws such as the inadequate Privacy Act 1988, leaving Australians vulnerable to having their data misused."

He said there needed to be agreement between the various levels of government to create services that were geared towards citizens.

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

Register now for YOW! Conference

Sydney 29-30 November

Brisbane 3-4 December

Melbourne 6-7 December

Register now for YOW! Workshops

Sydney 27-28 November

Melbourne 4-5 December

REGISTER NOW!

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

How does business security get breached?

What can it cost to get it wrong?

6 actionable tips

DOWNLOAD NOW!

Even after all these years, during which private data centers have fallen victim to countless security breaches while cloud providers sail along unharmed, cloud security is still one of the top concerns for Amazon Web Services customers. The company hopes new security features introduced Wednesday at re:Invent 2018 put those customers at ease.

AWS Security Hub is a new dashboard that will allow AWS customers to see a snapshot of their security posture across their account using AWS security services likeGuardDuty as well as third-party security software from companies that partner with AWS, like Symantec and F5 Networks. It will aggregate the deluge of security notifications that those products tend to hurl at their users and organize that information in an easier-to-understand way.

“Centralization is nothing new; what we really wanted to focus on with Security Hub was prioritization,” said Stephen Schmidt, chief information security officer for AWS, in an interview following the keynote speech. “So we build maps of the customer systems, analyze the security of the systems using the tools that are built in like Inspector and Guard Duty, and then prioritize the work that their security teams have to do to secure the estates better.”

The company also hopes that another new service called AWS Control Tower will help address the scourge of customers who leave their S3 storage buckets unprotected on the internet , either inadvertently or for convenience. Control Tower allows administrators to set access levels for organizations in which lots of people have accounts granting them access to their company’s AWS infrastructure.

As the largest cloud provider in the world, AWS is arguably one of the biggest targets outside of major financial institutions or government agencies. Yet the threats against it and the types of malicious actors seeking to get inside AWS haven’t really changed over the last few years; “You’ve got the same people motivated by the same things,” Schmidt said, which includes financial reward, hacker cred, and nation-states attempting to advance their agendas.

Headphone maker Sennheiser is facing the music after being caught compromising the security of its customers.

The vendor's Headsetup and Headsetup Pro applications install both a root certificate and its private key on windows and Mac computers, which can be used, for instance, by scumbags to intercept and decrypt users' encrypted HTTPS web browsing. In effect, installing the Headsetup software leaves you open to having your web connections snooped on or tampered with, and any sensitive information like passwords stolen.

We're told Headsetup is a tool that connects voice chat websites to posh Sennheiser headsets. The software installs a trusted root security certificate, and uses that to open a local secure web socket, through which the website in the browser can access the swanky headphones using HTTPS. This secure link uses a TLS certificate chained to the installed root cert.

This is, we're told, required to avoid running afoul of cross-origin resource sharing rules put in place by modern browsers. The web socket requires a custom certificate because it must be assigned to the reserved IP address, 127.0.0.1 aka localhost. So Headsetup opens a web socket and presents a HTTPS certificate that is chained to the installed trusted root cert. The browser uses the installed root cert to check the socket's certificate is legit, and off it goes.

What is concerning to the researchers is that by having both the certificate and key present on the machine, an attacker can reuse the key which is common to all installations to create arbitrary HTTPS certificates for other websites and have them trusted by Headsetup users because the bogus certs are chained to the installed trusted root security certificate. This also means intercepted SSL/TLS connections can be decrypted, and malware can be digitally signed and trusted as legit software. This is music to the ears of determined hackers.

"We found that caused by a critical implementation flaw the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker. This allows him or her to sign and issue technically trustworthy certificates," Secorvo explained.

"Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send e.g. trustworthy signed software or acting as an authority authorised by Sennheiser."

For example, an attacker could create a malicious password-stealing website that masquerades as a bank or shopping site, then place a link to the website on a support forum frequented by Sennheiser headset owners. When a Headsetup user visits the fake page, the site presents a HTTPS certificate chained to the HeadSetup root cert to pass itself off as a legit secure website. The bogus site would then ask for a username and password something like "please login to continue" and swipe the credentials before redirecting to the real site. That would require the fake site to have a carefully crafted domain name like store.amazom.com.

However, if it's possible for the hacker to control the victim's DNS lookups, the bogus website can appear even more legit by using a familiar domain name and having a little green padlock to show it's secure. A man in the MIDI, sorry, middle attack could also use the root cert and key to intercept and decrypt HTTPS connections to legit websites on the fly. Precautions, such as certificate pinning , can be taken to mitigate these kinds of shenanigans.

All in all, though, even if Sennheiser customers were in no immediate danger, this shabby approach to security is not a great look.

Fortunately, Sennheiser has already posted an update to rectify the issue by removing the certificates and keys.

For Windows users, the updated Headsetup version is 8.1.6114, while Mac users will want to update to version 5.3.7011. Those who can't install the updates are being offered a removal script that purges the vulnerable crypto.

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

至顶网CIO与应用频道 11月28日 北京消息（文/黄雅琦）： 11月28日，由中央网信办、工业和信息化部指导，湖南省人民政府、中国工程院、中国科学技术协会、国防科技大学、中国电子信息产业集团有限公司主办，工信部装备司、湖南省工信厅、长沙市人民政府、中电工业互联网有限公司承办，至顶网和中国制造千人会协办的智能制造融合创新主题峰会在长沙国际会展中心举行。

十九大报告指出，要加快建设制造强国，加快发展先进制造业，推动互联网、大数据、人工智能和实体经济深度融合。智能制造融合创新主题峰会正是对新时代智能制造创新发展经验的一次阶段性总结，也是对如何更为深广地戮力中国“智”造的一次系统性思考，峰会紧扣制造行业关心的智能制造与新制造等热点话题，深入探讨制造业数字化转型的挑战、路径、技术，搭建国际化、前沿化、产业化的平台。

本次智能制造融合创新主题峰会得到了政府领导、专家学者、企业高管的大力支持，工信部装备司重大技术装备处处长汪宏、 湖南省工信厅副巡视员倪东海分别致辞、湖南省工信厅原材料工业处处长陈军等领导出席。

同时，本次峰会还邀请了伟创力高级副总裁、华为全球业务总经理吴劲松，SAP中国副总裁兼首席数字官彭俊松，用友网络科技股份有限公司高级副总裁王建，富士通数字化业务总部总经理汪波，研华科技工业物联网事业群中国区总经理蔡奇男，美云智数事业部副总经理郑双全，友达光电（苏州）有限公司总经理郭振明等企业代表为我国智能制造产业整体发展建言献策。

湖南省工信厅副巡视员倪东海在欢迎致辞中表示，要建设现代化经济体系，必须把发展经济的着力点放在实体经济上，为落实十九大精神，坚决落实制造强国战略，湖南省一直把智能制造作为重点战略。他认为，智能制造是中国制造发展的未来，湖南省将继续以智能制造统领产业转型升级，着力突破关键核心技术，推动产业转型升级，全力打造国家智能制造中心。

工信部装备司重大技术装备处处长汪宏在开场致辞中表示，如今我国转型升级速度加快，制造产业全面推进转型，在此背景下，产业既要对未来发展充满信心，也要意识到其中存在的问题，他提出五点建议：一是加强关键共性技术创新；二是加快标准研究制定，推进智能制造标准体系建设；三是加大智能制造试点示范推广力度；四是智能制造生态体系构建；五是打造智能制造人才队伍，健全人才培养机制。

乌克兰国家院士、国立基辅格林琴科大学教授、博导SEMKO VIKTOR认为，网络安全已经成为国家安全的核心组成部分，工控网络安全涉及基础设施、智能制造、智慧城市、军工生产，以及事关国计民生的各个领域。他通过多个案例介绍了网络安全控制技术在智能制造中的应用，展示新一代网络安全和智能制造新动态、新成果和新经验。

伟创力高级副总裁、华为全球业务总经理吴劲松指出，为了促进产业升级，必须大力打造智能工厂，推动智能制造。他认为，打造未来智能工厂必备六大技术：包括自动化、机间通信、3D打印及增材制造、虚拟现实与增强现实、增强可视化及高级仿真、云计算。

SAP中国副总裁兼首席数字官彭俊松表示，我们已经进入第三次技术革命到第四次技术革命的转折期，核心技术的商品化程度代表了工业革命的进展。从2014年开始，SAP在智能制造技术提出了核心方案，今年SAP已经推出了第三代“开放式集成工厂”，初步实现了分布式控制目标。在这一创新的背后，核心在于基于内存计算的人工智能实时决策，借此，SAP能够快速实现从集中式控制到分布式生产控制的转型。

用友网络科技股份有限公司高级副总裁兼高端业务事业群总裁王健指出，随着消费理念、消费习惯和消费需求发生变化，云计算、大数据、物联网、区块链、人工智能等新兴技术日趋成熟，以及制造方式的重大演进，工业互联网平台的发展已进入最好的时机。

富士通数字化业务总部总经理汪波表示，富士通自身作为制造企业，在多年发展中一直不断推进信息化与产业融合，将信息化技术用于自身工厂的发展过程中。他认为，实现智能制造要从两方面入手，一方面是量到质的转变，促进制造业的数字化、网络化、智能化和绿色化；另一方面是构建价值链型制造模型，将制造业的供应链与互联网、云计算和大数据进行融合，通过物联网构筑开放性的系统和平台。

美云智数事业部副总经理郑双全介绍了美的的数字化路径。他表示，近5年以来美的在数字化领域投入了超过80亿，归功于以下经验：在用户端通过数字化营销和客服、大规模定制更好地贴近用户；在产品端推动产品数字化转型，加大数字化研发投入，实现产品智能化、场景化、平台化和模块化；加速制造过程数字化转型，推动数字化仿真，全方位实现数字化供应链协作，打造全价值链协同的数字精益工厂建设，实现精益化、自动化。

研华科技工业物联网事业群中国区总经理蔡奇男表示，企业要实现智能制造，不能直接“照抄”别人的模式，而是需要回过头检视自己的真实情况，由经营议题找到智能制造的关键切入点，通过自动化与信息融合，并结合云端及资料分析推动工业4.0。他认为，未来的工厂是数据驱动的，这将成为企业整体竞争力的关键要素，通过数据把人、产品、设备连接起来，是最终实现智能制造的重要手段。

友达光电（苏州）有限公司总经理郭振明认为，2025年将步入万物互联的时代，而物联网世界的关键是智能生活个人可穿戴装置、各种商务和工业应用中的人机界面，工业步入4.0时代已从自动化迈向智能化，将对制造业的管理层、控制层、执行层、作业层产生影响，新技术会带动组织形态变化，而友达光电正是实践者，达智汇就是将友达的生产智慧汇集而成的智能制造解决方案。

值得一提的是，本次峰会还邀请了中国质量奖评审专家，南京理工大学经济管理学院（原院长）教授/博导韩之俊，从理论层面分享稳健设计理念、方法及案例，稳健性设计亦称“田口方法”，是一种低成本、高效益的质量工程方法，是将质量重点由制造阶段前移到设计阶段，强调设计对质量的重要作用。

作为本次峰会的最后环节，长沙智能制造研究总院院长邓子畏还发布了《2018长株潭衡智能制造发展白皮书》，该报告指出就城市群而言，智能制造推进情况主要有以下四大特点：一是企业智能化改造需求强烈，发展空间大；二是智能制造发展基础环境优渥；三是智能制造供给能力逐步提升，四是城市群智能制造发展模式。同时，白皮书也给出四点建议：一是完善城市群协调联动机制；二是加大中小企业支持力度；三是加大智能制造高端人才引进力度，强化高技能人才培养；四是进一步提升城市群智能制造供给能力。

当前，全球范围内新一轮科技革命和产业变革蓬勃兴起，以信息技术和制造技术深度融合为重要特征的智能制造，不断形成新的产业形态和商业模式，本次智能制造融合创新主题峰会通过探讨时代的前沿理念和模式、产业的成功实践和经验，为切实有效地推进先进制造，促进我国产业迈向全球价值链中高端，提供了非常具有价值的经验、共识与启示。

Managed service providers live in this minefield. They’ve been safe so far. We cannot find news of any that have blown up after a misstep that caused a client’s data breach and triggered a legal issue.

But that doesn’t mean lawsuits are not coming. Regulators and lawmakers are adding mines to the cyber security field every year.

All 50 U.S. states now have data privacy laws.

This is in addition to U.S. federal privacy laws such as HIPAA, EU privacy laws such as GDR, and industry regulations such as PCI DSS all of which have requirements for cyber security.

Lawsuits are also becoming more common after a data breach is discovered:

If cyber security is a minefield of legal threats for MSPs what do the mines look like?

Here are three big issues to avoid:

Let’s unpack each of these.

A breach of contract lawsuit is very simple.

First, there must be a contract.

Second, the contract must specify the responsibility of each party (i.e. your MSP business and the client).

Third, one party (the plaintiff) files a lawsuit against the other, claiming they failed to live up to their responsibility and thus harmed the plaintiff.

For an MSP, the obvious example would be a client who suffers a data breach and files a lawsuit. The suit would claim the MSP failed to live up to the terms of the contract and this caused a data breach that resulted in losses.

If you’re hit with a breach of contract lawsuit you’ve already lost, because it will cost significant money to fight it.

The best approach is to avoid a lawsuit altogether and you can do that with clear communication with clients at the beginning of your relationship.

It’s critical that your clients understand the role of your business in their cyber security i.e. where your responsibilities start and end.

Verbally explain your responsibilities to clients, and ensure the responsibilities are explicitly outlined in a formal agreement signed by both parties.

Also ensure your clients understand the important aspects of their cyber security that you are NOT responsible for i.e. what they are responsible for.

A 30-minute conversation on this topic can save you from months of headaches and legal issues if the relationship sours.

Once the terms of your agreement are clearly defined, you must live up to the terms. That’s the whole point of the agreement. If you fail to do so, and if this failure harms the client, you can expect a call from their lawyer.

Lastly, include clauses in the agreement that limit your liability . So if you are found liable in court, such clauses can reduce your exposure and prevent the lawsuit from ending your business.

A negligence lawsuit claims that a party failed to use reasonable caution when providing services and thus harmed the plaintiff.

The term “standard of care” is often used to describe the inherent responsibilities of a service provider, such as a doctor or lawyer.

For an MSP or IT firm, you owe clients a standard of care. If your services fall short of this standard and the client is harmed, then you can be sued (in theory).

Obviously, you can avoid a cyber security legal issue by living up to the ‘standard of care’. So, what’s the standard?

Unfortunately, no one knows for sure. No laws have set a clear standard in the U.S., and no court cases have yet to clearly establish one.

However, you are not completely without guidance.

You can get a sense of a reasonable standard of care from the controls recommended by proven security frameworks such as the CIS 20 , NIST 800-53 , NIST 800-171 , and others.

Also, more frameworks may be coming. Signed into law on Aug. 14, the NIST Small Business Cybersecurity Act requires the National Institute of Standards (NIST) to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”

These forthcoming resources may help form a reasonable standard of care for IT services in the SMB market.

You must also live up to the promises you’ve made to protect customer data, such as those in your privacy policy. Hospitality giant Wyndham Worldwide failed to do this and landed in court with the FTC.

The FTC sued Wyndham in 2012, claiming it did not live up to promises made in its privacy policy to protect consumers’ data. This lead to a data breach causing “substantial consumer injury”, according to the FTC.

Wyndham settled the case in 2015. Under the settlement, Wyndham had to create a comprehensive information security program. The terms of the settlement are in place for 20 years.

Regulators such as the Office for Civil Rights under HIPAA, or the PCI DSS Security Standards Council levy fines and penalties against businesses that fail to comply with their rules.

Important ways to avoid this threat:

When you begin a relationship with a client, require them to disclose all regulatory frameworks associated that they are required to follow for their IT systems and data.

Also, be sure to note in your contract that the customer has the sole responsibility for understanding and ensuring the services you provide will satisfy any necessary regulatory or legal requirements.

Cyber security regulations often focus on specific types of data.

For example, HIPAA aims to protect all “personally identifiable information” of patients and customers in the medical industry.

PCI DSS aims to protect cardholder data.

These regulations also affect the systems i.e. the workstations and network infrastructure that store, process, or transmit this data.

That said, one way to limit your exposure to these regulations is to limit your exposure to the data and systems they cover.

Any service you provide that affects these systems, be sure to document the extent of your access and how you’ve limited it. Also ensure the customer understands the scope of your access both verbally and contractually.

In any business, legal issues can often be avoided with transparency, honesty, and a collaborative attitude.

Always set clear expectations with clients and deliver on them. Avoid absolute guarantees. Also avoid hostility and blaming of others.

Respect best practices (don’t recklessly disregard them). Also respect the things you do not yet know. Develop a strong sense of professional humility.

Remember, no one is perfect. As a director of the FBI once said, “There are only two types of companies: those that have been hacked and those that will be.”

These principles can carry you far. However, relationships can sour and partnerships can fail. That’s usually when lawyers are called and everyone starts losing money.

Unfortunately, lawsuits cannot always be avoided and this is where your service contract becomes critical.

Your business should have a standard form agreement that all clients sign when doing business with you. This agreement should be rock-solid and crafted by a competent lawyer who is familiar with cyber security law and regulation.

The form agreement is the same for all your clients and you need one more thing, a Statement of Work.

The statement of work is where you define the specific responsibilities and services you will provide. It should be unique to every client.

But remember, if you’re arguing about the terms of your contract in a court, you’re already losing money.

So avoid lawsuits whenever possible maintain a strong relationship with your clients and make sure everyone is aware of their responsibilities.

Calyptix Responds to NIST Small Business Cybersecurity Act

Shelter from Cyber Regulation: NIST 800-171

Top 5 Cyber Security Frameworks in Healthcare

HIPAA Hazards: Avoid the business associate trap

金色财经讯，2018年11月29日，由中央网信办、工业和信息化部指导，湖南省人民政府、中国工程院、中国科学技术协会、国防科技大学和中国电子信息产业集团有限公司共同主办的2018中国（长沙）网络安全智能制造大会在长沙国际会展中心隆重召开。本届大会以“集智 链新 赋能”为主题，邀请区块链领域的专家、学者、产业领袖共聚一堂，围绕战略布局与政策导向、基础研究与前沿探索、市场风向与投资趋势、产业动态与应用实践展开深入交流与探讨。金色财经全程参与了本次大会，以下会议的直播内容。

长沙市市委副书记、市长、湖南湘江新区党工委书记胡忠雄在致辞中表示长沙要抓住区块链发展的窗口区，在发展优势方面，长沙出台了区块链的产业发展规划，打造了一期2亿的基金以及两个国家级高新区，以开辟园中园的方式来开辟区块链产业集聚地；第二个优势是人才。在发展愿景方面，要掌握区块链一批核心技术，在长沙打造一批应用场景，引进一批区块链企业，政府将用资金池、人才池与政策红利来吸引区块链企业走进长沙。

......

持续更新中