Today's Tech Digest

There is no such thing as a DR test failure

Testing your IT Disaster Recovery (DR) plan can be laborious, tedious and fraught with potential landmines. Case in point, that was my first exposure to DR way back in the ancient times of the early 1990’s. We were a mainframe shop, Big Blue, Amdahl, you know the beasts. Our infrastructure team had been performing annual DR tests for several years. These were the kind of tests where you rented space and equipment in some far-away datacenter for a finite amount of time, something like 36 hours. Within that window, you had fire up the mainframes, tape drives and disks, restore OS, middleware and all the utilities. This year was going to be different, however. This year, they actually wanted to recover an application. At the time, I was the lead contractor assigned to the order management applications.

Neato Robotics Adds More Smarts To Its Vacuum Cleaners

With Version 2.0 of its smartphone app, the company is adding the ability to program them via IFTTT.com (IF This, Then That). The web service can automatically trigger certain online actions depending on events or data gathered from other online sources. That will give owners of a connected Botvac a new way to trigger a cleaning session. Instead of pushing a button on the robot, or in the app, or setting a fixed schedule of days and times to clean, they will be able to use an IFTTT recipe to tell the robot to start cleaning as soon as their smart thermostat detects that the house is empty, for example. IFTTT's online calendar integration could trigger an extra clean the morning after a party or, for those with particularly muddy outdoor interests, the day after their calendar lists a hike in the woods or a moutain bike race, say.

Payment card security standard compliance and cyberattacks

When looking at the PCI controls that companies would be expected to have in place (such as security testing, penetration tests etc), the report found an increased ‘control gap,’ meaning that many of these basics were absent. In 2015, companies failing their interim assessment had an average of 12.4 percent of controls absent; this has increased to 13 percent in 2016. Simonetti continues, “It is no longer the question of ‘if’ data must be protected, but ‘how’ to achieve sustainable data protection. Many organisations still look at PCI DSS controls in isolation and don’t appreciate that they are inter-related – the concept of control lifecycle management is far too often absent. This is often the result of a shortage of skilled in-house professionals – however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts.”

Five steps to a secure workforce

The first step in securing your employees is to understand what they do, and therefore what they need access to. By governing their privileges, you’ll be limiting their ability to do damage with your data, intentionally or unwittingly, without stopping them from doing their jobs. This begins with understanding who handles what in your organisation, and how. Analyse different employee roles. How many of them are there? Create a list and then assign responsibilities to each role, along with the level of information that they need access to when doing their job. Then, place individual job titles into these roles. This will be the basis for a least-privilege access model that gives employees access to the data they need on a need-to-know basis. After creating a framework for managing access, you must build security policies that use this framework to define employee behaviour and mitigate information security risk.

How to install and enable ModSecurity with NGINX on Ubuntu Server

ModSecurity is toolkit for real time web application monitoring, logging, and access control. This open source Web Application Firewall (WAF) module does an outstanding job of protecting web servers (Apache, NGINX, and IIS) from attacks that target potential vulnerabilities in various web applications. ModSecurity handles tasks like: Real-time application security monitoring and access control; Full HTTP traffic logging; Continuous passive security assessment; and Web application hardening. I want to walk you through the process of installing both ModSecurity and NGINX, so you can ensure your web server is better capable of standing up against certain attacks. The installation process is a bit complicated and handled completely through the command line.

Read more here ...