Microsoft has released its serverless Azure Blockchain Development Kit, which promises to extend the capabilities of earlier blockchain-based development templates. “Apps have been built for everything from democratizing supply chain financing in Nigeria to securing the food supply in the UK, but as patterns emerged across use cases, our teams identified new ways for Microsoft to help developers go farther, faster,” Marc Mercuri, Microsoft’s Block Engineering principal program manager wrote in a blog post. “The Azure Blockchain Development Kit is the next step in our journey to make developing end to end blockchain applications accessible, fast, and affordable to anyone with an idea,” he said. A serverless approach, according to Mercuri, would “reduce costs and management overhead.” Without a virtual machine (VM) server to deal with, the kit is made affordable and “within reach of every developer—from enthusiasts to ISVs [independent software vendors] to enterprises.”
Any security researcher will tell you that at least 90% of cyber attacks emanate from phishing emails, malicious attachments, or weaponized URLs. A cybersecurity platform must apply filters and monitoring to these common threat vectors for blocking malware and providing visibility into anomalous, suspicious, and malicious behaviors. ... Cybersecurity technology platform management provides an aggregated alternative to the current situation where organizations operate endpoint security management, network security management, malware sandboxing management, etc. ... CISOs want their security technologies to block the majority of attacks with detection efficacy in excess of 95%. When attacks circumvent security controls, they want their cybersecurity technology platforms to track anomalous behaviors across the kill chain (or the MITRE ATT&CK framework), provide aggregated alerts that string together all the suspicious breadcrumbs, and provide functions to terminate processes, quarantine systems, or rollback configurations to a known trusted state.
Fileless malware strains will exhibit wormlike properties in 2019, allowing them to self-propagate by exploiting software vulnerabilities. Fileless malware is more difficult for traditional endpoint detection to identify and block because it runs entirely in memory, without ever dropping a file onto the infected system. Combine that trend with the number of systems running unpatched software vulnerable to certain exploits and 2019 will be the year of the vaporworm. Attackers hold the Internet hostage A hacktivist collective or nation-state will launch a coordinated attack against the infrastructure of the internet in 2019. The protocol that controls the internet (BGP) operates largely on the honour system, and a 2016 DDoS attack against hosting provider Dyn showed that a single attack against a hosting provider or registrar could take down major websites. The bottom line is that the internet itself is ripe for the taking by someone with the resources to DDoS multiple critical points underpinning the internet or abuse the underlying protocols themselves.
As Guggenheimer explains, Microsoft's idea is to let customers jump in where they are. Those on the lower end of the AI experience chain might want to begin dabbling with AI with business intelligence and apps. Microsoft's announcement this week about its plan to add AI capabilities to Power BI (as explained here by my ZDNet colleague Andrew Brust) is the cornerstone of this part of Microsoft's strategy. For customers with a little more AI experience and who are willing to do a bit more customization, Microsoft's Dynamics 365 software-as-a-service apps -- especially those which recently got their own AI boost -- provides another place for customers to get their AI feet wet, Guggenheimer suggests. The next two pieces of Microsoft's AI strategy are where there's been a lot of announcements, as of late. Microsoft is working on a number of AI "Accelerators," solution templates and analytics templates to give users a way to build on top of some repeatable patterns and practices around AI.
“Lack of career growth or trajectory is a major factor driving women to leave their jobs — this was the most common response (28 percent) when we asked why they left their last job,” writes Kim Williams, senior director of design at Indeed, in a summary of Indeed's research. “The second most-common reason for leaving was poor management, with a quarter of respondents choosing this reason. Slow salary growth came in as the third most-common reason (24 percent) respondents left their last job. By contrast, issues related to lifestyle, such as work-life balance (14 percent), culture fit (12 percent) and inadequate parental leave policies (2 percent) were less common reasons for leaving a job,” Williams says. ... As Williams writes, “Meanwhile, many women in tech believe that men have more career growth opportunities — only half (53 percent) think they have the same opportunities to enter senior leadership roles as their male counterparts. And among women who have children or other family responsibilities, almost a third (28 percent) believe they’ve been passed up for a promotion because they are a parent or have another family responsibility.”
As well as an emphasis on education, it is essential that organisations foster a culture that supports “doing the right thing”. This requires mechanisms and processes that enable concerns to be raised easily and without fear of retribution. This does not happen overnight, however, and enterprises need to allow time for it to embed fully. It is important that people throughout the organisation feel supported and confident in speaking up about any activities that may adversely affect the security design or increase the threats. This may sound obvious, but business projects have defined plans and milestone dates, and standing in the way of these to raise concerns from a secure architecture point of view is a daunting prospect. However, a supportive culture and an outcomes-focused security strategy will champion legitimate challenges, hearing and considering the claim regardless of the seniority of the individual making it. Similarly, there need to be appropriate channels for individuals to flag poor practice, without having to challenge the perpetrator directly.
While Google encourages customers to use Cloud Scheduler for App Engine workloads on GCP, the service also works with any HTTP/S endpoint or Publish/Subscribe messaging topic. One example of the former is an on-premises enterprise application that exposes back-end data to a cloud service via HTTP/S. Publishers take many forms, such as a sensor installed at a remote oil rig. As the sensor generates various types of messages, the publish/subscribe approach sends them to a broker system, which then forwards them on to subscribers in real time. This approach can save time and effort by eliminating the maintenance of a slew of point-to-point integrations, and it makes sense for use cases such as IoT. Google offers a publish/subscribe service for GCP. Google Cloud Scheduler uses a serverless architecture, so customers only pay for job invocations as needed; pricing starts at $0.10 per job, per month, with three free jobs per month. It's difficult to compare Cloud Scheduler's cost to, for example, Azure Scheduler, which has a much more granular pricing model.
The near ubiquity of IoT does raise the security flag, as it presents a significant threat vector for hackers to breach companies. DigiCert’s goal in running the survey was to understand the state of IoT adoption, understand security implications, and quantify the benefits of having made the investments in IoT security. The survey focused on the four industry verticals where IoT was most mature — industrial, consumer products, healthcare, and transportation — and sampled companies of all sizes, with the median size being 3,000 employees. The survey asked what objective companies were trying to achieve with IoT. The top responses were operational efficiency, customer experience, increased revenue, and business agility. It’s been my experience that businesses that are early in the adoption cycle of IoT are looking to cut costs through automation, which leads to better efficiency, but they quickly pivot to customer experience as a way of creating new revenue streams.
“The malware can intercept input data on target sites, modify online page content, and/or redirect visitors to phishing pages,” Kaspersky Lab researchers noted in a posting on Thursday, one week ahead of Thanksgiving. They added that the malicious code, once installed often lies in wait for the consumer to visit an e-commerce page, and then simply grabs the payment form wholesale. “Form-grabbing is a technique used by criminals to save all the information that a user enters into forms on a website,” the team noted. “And on an e-commerce website, such forms are almost certain to contain: login and password combination as well as payment data such as credit card number, expiration date and CVV. If there is no two-factor transaction confirmation in place, then the criminals who obtained this data can use it to steal money.” Armed with the stolen credentials, cybercriminals could hawk them on the Dark Web, or simply use the stolen accounts themselves – they can buy things from a website using victims’ credentials, and then resell the ill-gotten goods to make a nice profit – a process that comes with built-in money-laundering.
Quote for the day:
"The ultimate measure of a man is not where he stands in moments of comfort, but where he stands at times of challenge and controversy." -- Martin Luther King,