August 04, 2016

What's In A Security Score?

Security scores are used by cyber insurance underwriters to evaluate a company’s potential risk, by companies to evaluate the cyber-risk posture of third-party vendors and partners, and by senior executives to explain a company’s cyber risk to its board of directors with an easy-to-understand rating. “The third-party risk management is the one we see growing the most rapidly,” says Jeffrey Wheatman, research director, security and privacy, at Gartner. “We think that at some point in the near term, a cybersecurity score will be as important as a credit score when organizations look to sign up for a partnership.”


Google DeepMind: The smart person's guide

DeepMind is a subsidiary of Google that focuses on AI. More specifically, it uses a branch of AI called machine learning, which can include approaches like deep neural networks and reinforcement learning to make predictions. This can rely on massive data sets, sometimes manual data labeling—but sometimes not. Many other AI programs like IBM's DeepBlue, which defeated Garry Kasparov in chess in 1997, have used explicit, rule-based systems that rely on programmers to write the code. However, machine learning enables computers to teach themselves and set their own rules, through which they make predictions. In March 2016, DeepMind's AlphaGo program beat world champion Lee Sedol in 4 out of 5 games of Go, a complex board game—a huge victory in AI that came much earlier than many experts believed possible.


Build a Strong Security Baseline with the HIPAA Security Rule

“In addition to having updated systems, it’s also beneficial to monitor what is going on within a system,” Fisher said. “Whether it be looking for suspicious emails or suspicious activity, you then need to be able to quickly respond to or isolate that activity. Even if you can’t prevent an attack, at least if you can limit the extent of it, or the length of time in which it can occur, you can begin to mitigate those potential damages or potential harm that’s coming out of it.” If there has been a successful attack, entities need to try and lock down the system as quickly as possible to stop further spread of harm. Furthermore, as required under HIPAA regulations, a good disaster recovery plan and comprehensive data backup should also be the top of an organization’s security priorities.


NIST wants agencies to move away from SMS authentication

“While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3,” Grassi wrote. “It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.” NIST stopped short of removing the SMS guidelines entirely, due to the fact that the text messages may still work for existing government systems. However, NIST hopes the deprecation pushes agencies to re-assess their two-factor practices as they modernize their systems.


White House to Fund Tech Growth ‘Beyond Moore’s Law’

The NSCI is all in favor of partnership and collaboration. But with respect to finding a new track for sustained performance growth over the long haul, it’s looking to principles that, as of today, still sound like science fiction. “The NSCI envisions a more heterogeneous future computing environment, where digital (von Neumann-based) computing is augmented by systems implementing alternative computing paradigms to efficiently solve specific classes of problems,” reads the group’s current report. “These alternative computational paradigms — whether quantum, neuromorphic or other alternatives — may solve some classes of problems that are intractable with digital computing, and provide more efficient solutions for some other classes of problems.”


Strate, global CSDs to collaborate on blockchain use

“It sounds so simple for me to give you shares and you get cash in exchange and then the deal is done. But when you start getting into things like corporate actions, dividend payments, taxes that have to be paid, reporting things, liquidity requirements and securities lending and borrowing, you unpack this whole can of worms that needs to be dealt with,” Knowles said. She said the effective, lawful use of the technology in financial markets would require the use of a permissioned blockchain and oversight by an independent third party. “To something as high risk as the financial markets, it does need regulation, it does need standards, it does need governance and it does need some sort of overseer of the entire ecosystem,” she said,


Bitcoin exchange hack highlights security weaknesses

“Although bitcoin itself is inherently secure, a hacker can steal the keys to your wallet if you don’t store the keys securely. This isn't an inherent flaw of the bitcoin protocol, and this is what happened with Bitfinex,” he said. Al-Bassam said although there has been progress in the past few years with technology to allow secure wallets, such as hardware wallets and cold wallet software, there is still a lot more to be done. “Users who store a large amount of Bitcoin in an exchange should be aware that if they don’t have the cryptographic keys to their Bitcoin, they don’t have total control over it,” he said.


Cloud denial sliding into oblivion

The only way to completely prevent cloud usage is to shut down internet access to users. Essentially, the modern equivalent of what you only see in spy movies: a sealed network, custom-made computers with no USB port, no external hard drive, and employees are searched on their way in and out of the office. Except that "no-internet" is not really practical in the twenty-first century. Barring a sealed network, users will bypass rules and use cloud services! It can be as simple as using a file sharing system such as Dropbox to send files to colleagues. Or signing up for cloud-based analytics services in which they will upload company data to get nice reports. It can also go all the way to provisioning a mission-critical business application or a data backend for a mobile app, without having to go through IT.


IoT Will Surpass Mobile Phones As Most Connected Devices

The Ericsson report notes that many things will be connected through capillary networks, which will leverage the ubiquity, security, and management of cellular networks. The result could create a lot of opportunity for IT, as well as challenges related to security and management. Currently, about 70% of cellular IoT modules are GSM-only, with network mechanisms being implemented to foster extended network coverage for low-rate applications. The second market segment -- critical IoT connections -- are characterized by requirements for ultra-reliability and availability, with very low latency, such as traffic safety, autonomous cars, industrial applications, remote manufacturing, and healthcare, including remote surgery.


Virtual Panel: Current State of NoSQL Databases

It's clear to me that the relational databases are more mature in their integration with developer tooling than the NoSQL databases, that's just a function of time. But that is rapidly changing as the NoSQL market shakes out and the database and tooling vendors begin to consolidate around a small number of front-runners, supported by an enthusiastic OSS community. In Neo4j specifically we've been working hard over the last 5 years to produce a very productive query language called Cypher that provides humane and expedient access to the graph. That language is now in the early stages of standardization as "openCypher", and will appear as the API to other graph technology over time (e.g. there is an initiative to port Cypher to Spark). In our recent 3.0 release we worked hard to make access to the database boringly familiar.



Quote for the day:


"Chance has never yet satisfied the hope of a suffering people." -- Marcus Garvey