Daily Tech Digest - October 31, 2019

What the Google vs. IBM debate over quantum supremacy means

The debate is over what it means when you run an actual quantum computer, such as Sycamore, and compare it to a simulation of that quantum computer inside of a classical, electronic computer. Quantum simulation software, such as Microsoft's LIQUi|⟩ program, allows a traditional computer to represent a quantum computer in ordinary circuitry, by translating quantum mechanics into mathematical structures, known as matrices of complex numbers (numbers that incorporate both real and imaginary numbers). With simulations, it's possible to compare how long it takes real quantum circuits to produce a given computation, and how long the same computation takes a classical computer to reproduce, by running the matrix math that resembles the functions of the quantum circuit.  Google and IBM are both looking at such simulations, and they're taking different views as to what the comparison means.  Google's point is that Sycamore is a device that does the work it takes millions of conventional processors to simulate. 

Why organizations feel vulnerable to insider attacks

A full 43% of the respondents cited phishing attacks that trick employees into sharing sensitive company information. Some 24% pointed to weak passwords, 15% referred to spear-phishing attacks targeted to specific individuals, and 15% cited orphaned accounts. Data leakage or theft is always a concern for security professionals both from outside and inside the company. Asked which type of data is most vulnerable to insider attacks, 63% of the respondents pointed to customer data, 55% to intellectual property, and 52% to financial data. ... Insider attacks pose enough of a concern that most organizations do have certain tools in place to deal with them. Some 68% of those surveyed said they feel anywhere from moderately to extremely vulnerable to insider attacks. While 49% said they feel they have the right controls to prevent an insider attack, 28% said they do not, and 23% said they were not sure. Most of the respondents use some type of analytics to determine insider threats with 32% relying on activity management and summary reports, 29% on user behavior analytics, 28% on data access and movement analytics, and 14% on predictive analytics.

North Korean malware detected in India's Kudankulam nuclear facility

North Korean malware detected in India's Kudankulam nuclear facility
The Nuclear Power Corporation of India (NPCIL) admitted yesterday that one of the computers at its Kudankulam nuclear power plant (KKNPP) had been attacked by malware. The malware, however, did not affect the critical internal network of the plant, NPCIL claimed, but the company only confirmed the attack following strong denials.  "Identification of malware in NPCIL system is correct," A.K. Nema, Associate Director and Appellate Authority, NPCIL, belated admitted in a statement. "The matter was conveyed by CERT-In [Indian Computer Emergency Response Team] when it was noticed by them on 4 September 2019," he added. According to Nema, the matter was investigated by DAE cyber security specialists, who found that the compromised computer was connected to the internet and was being used only for administrative work only. He also added the virus infection was isolated from the critical internal network of the plant. A day earlier, KKNPP senior official R Ramdoss had rejected social media reports, which claimed that domain controller-level access at KKNPP has been compromised.

Four principles for security metrics

Metrics come into their own when they act first as a tool to help people understand what’s going on, what you need to do to improve, then how to track progress and measure success. Start by creating one metric per process – then, if this metric goes out of tolerance, you’ll have a clear idea of how to address this. For example, “number of high severity vulnerabilities” is not easily actionable. If this goes beyond your tolerance what action do you take? It’s affected by multiple processes as well as circumstances beyond your control. As metrics are developed and you get new views on what your data is telling you, you’ll likely uncover things that are slipping between the cracks of existing processes. If you have a metric that tracks the current status of a given process, but you require several projects to deal with legacy issues that existed before the process was created/updated, there is no harm in splitting that historical data out and tracking those remediation projects separately. This will help you avoid the situation where your metric confuses good current performance with past problems that are now under management via a different – and possibly longer term – process.

The 10+ Most Important Job Skills Every Company Will Be Looking For In 2020

There's no shortage of information and data, but individuals with the ability to discern what information is trustworthy among the abundant mix of misinformation such as fakes news, deep fakes, propaganda, and more will be critical to an organization's success. Critical thinking doesn’t imply being negative; it’s about being able to objectively evaluate information and how it should be used or even if it should be trusted by an organization. Employees who are open-minded, yet able to judge the quality of information inundating us will be valued. ... Technical skills will be required by employees doing just about every job since digital tools will be commonplace as the 4th industrial revolution impacts every industry. Artificial intelligence, Internet of Things, virtual and augmented reality, robotics, blockchain, and more will become a part of every worker's everyday experience, whether the workplace is a factory or law firm. So, not only do people need to be comfortable around these tools, they will need to develop skills to work with them.

How schools can better protect themselves against cyberattacks

Schools often are more vulnerable to cyberattacks in comparison with larger companies and enterprises, and for a variety of reasons. Many school districts may have only one or two IT people to serve the entire district, so the staffers are spread thin. Budget constraints have affected many schools, limiting the amount of money they can spend on security solutions. Most schools likely have the necessary security set up on individual computers and even the overall network. But comprehensive perimeter protection may not be in place, potentially leading to data breaches and malware hosted on the school's website. Young students don't necessarily have the skills or training to adequately identify phishing emails and other threats, so such attacks are often more successful. The number of tablets and other devices issued by schools has increased in recent years and because of that, students may use those devices on outside networks that aren't secure, thereby raising the risk of infection. Even in the face of budget constraints and other limitations, schools should have adequate security measures in place to protect themselves, their data, and their students from security threats.

AI’s ‘most wanted’: Which skills are adopters most urgently seeking?

When we compare companies with relatively little AI experience (they’ve built five or fewer production systems) with those possessing extensive AI experience (they’ve built 20 or more production systems), we observe an interesting shift in “most wanted” roles (see chart). Early on, AI researchers are the most sought-after, with about a third of the less-experienced rating them a top-two needed role. Business leaders rank near the bottom. By the time adopters have become highly experienced at building AI solutions, business leaders have bubbled to the top, and AI researchers have sunk almost to the bottom. What can we make of this curious flip? Many companies embarking on AI initiatives may feel they need to hire AI superstars—researchers with advanced degrees who can invent new AI algorithms and techniques—to spearhead their efforts.2 By the time organizations have amassed a lot of AI experience, they may have filled their ranks with enough of these brilliant experts. At that stage, they’re eager to find business leaders who can play the crucial “translator” role: figuring out what the results from AI systems mean, and how they should factor into business decisions and actions.

The Role of CIO and How It is Being Rewritten

Digitization spurs new priorities – alongside a full slate of historical departmental responsibilities. In enterprise tech speak, leverage simply means using tools, systems or techniques to convert relatively small effort into significantly greater output. Digital transformation won't fit nicely alongside traditional management processes or cleanly under one leader’s org chart. IT leaders have to get more. More out of themselves, their teams and their dollars to succeed in the new enterprise era. One industry survey shares that at least 84% of top CIOs are now responsible for areas outside of traditional IT. The most common areas are innovation and transformation. Further research reveals that 95% of CIOs expect digitization to change or remix their job. Regardless of where or how new responsibilities intersect business and technology, IT will have a key role to play. Yet, without suitable systems leverage, the CIO position is challenging. How else can they handle the burden of IT consumerization, mobile workforces, big-data challenges, shadow IT and cost management.

AI capabilities power global IoT adoption

Story image
AIoT is defined as decision making aided by AI technologies in conjunction with connected IoT sensor, system or product data. AI technologies include deep learning, machine learning, natural language processing, voice recognition and image analysis. According to the survey, 34% of respondents said increasing revenue is the top goal for using AIoT. Improving the ability to innovate (17.5%), offering customers new digital services (14.3%) and decreasing operational costs (11.1%) were all key goals. Intel Americas chief data scientist Melvin Greer says AI and IoT are no longer separate technologies. “AI closes the loop in an IoT environment where IoT devices gather or create data, and AI helps automate important choices and actions based on that data,” explains Greer. “Today, most organisations using IoT are only at the first ‘visibility’ phase where they can start to see what’s going on through IoT assets. But they’re moving toward the reliability, efficiency and production phases, which are more sophisticated and require stronger AI capabilities.”

Defense Innovation Board unveils AI ethics principles for the Pentagon

U.S. Pentagon
Applied Inventions cofounder and computer theorist Danny Hillis and board members agreed to amend the draft document to say the governable principle should include “avoid unintended harm and disruption and for human disengagement of deployed systems.” The report, Hillis said, should be explicit and unambiguous that AI systems used by the military should come with an off switch for a human to press in case things go wrong. “I think this was the most problematical aspect about them because they’re capable of exhibiting and evolving forms of behavior that are very difficult for the designer to predict, and sometimes those forms of behavior are actually kind of self preserving forms of behavior that can get a bit out of sync with the intent and goals of the designer, and so I think that’s one of the most dangerous potential aspects about them,” he said. The Defense Innovation Board is chaired by former Google CEO Eric Schmidt, and members include MIT CSAIL director Daniela Rus, Hayden Planetarium director Neil deGrasse Tyson, LinkedIn cofounder Reid Hoffman, Code for America director Jennifer Pahlka, and Aspen Institute director Walter Isaacson.

Quote for the day:

"It's not about how smart you are--it's about capturing minds." -- Richie Norton

Daily Tech Digest - October 30, 2019

Automation projects: A good time to switch vendors?

automation iot machine learning process ai artificial intelligence by zapp2photo getty
Many network infrastructure vendors are developing automation technology aimed primarily, if not solely, at their own products, rather than multi-vendor environments. While most enterprises use two or three different automation tools in their initiatives, 42 percent say that an automation tool aimed at a single vendor is part of their strategy. In fact, 26 percent said a single-vendor automation tool is the most important part of their automation technology strategy. ... The most important ZTP feature, according EMA’s survey, is software-image auto-updates and verifications. Many enterprises are also interested in being able to custom provision and configure devices via scripts and the ability to unify ZTP network provisioning with compute and storage infrastructure in data centers. Not every network vendor offers embedded ZTP features on their platforms, and most only offer them on their latest generation products. Enterprises with older equipment may switch to a new vendor during a refresh, and ZTP features may be a contributing or leading driver of that vendor switch.

Joker's Stash Lists 1.3 Million Stolen Indian Payment Cards

Group-IB, which has analyzed the cards listed for sale, says more than 98 percent appear to have been issued by Indian banks, with a single bank accounting for more than 18 percent of all of the dumps. About 1 percent of the cards appear to have been issued to Columbian banks. What's unusual about this sale is that so many payment cards have been uploaded at once. "Databases are usually uploaded in several smaller parts at different times," says Ilya Sachkov, CEO and founder of Group-IB, which was originally headquartered in Moscow. While that is unusual, so too is the sheer scale of what's being offered all at once. "This is indeed the biggest card database encapsulated in a single file ever uploaded on underground markets at once," he says. "What is also interesting about this particular case is that the database that went on sale hadn't been promoted prior either in the news, on card shop or even on forums on the dark net. The cards from this region are very rare on underground markets. In the past 12 months, it is the only one big sale of card dumps related to Indian banks."

Kubernetes vs. Docker: Understand containers and orchestration
Containers are designed chiefly to isolate processes or applications from each other and the underlying system. Creating and deploying individual containers is easy. But what if you want to assemble multiple containers—say, a database, a web front-end, a computational back-end—into a large application that can be managed as a unit, without having to worry about deploying, connecting, managing, and scaling each of those containers separately? You need a way to orchestrate all of the parts into a functional whole. That’s the job Kubernetes takes on. If containers are passengers on a cruise, Kubernetes is the cruise director. Kubernetes, based on projects created at Google, provides a way to automate the deployment and management of multi-container applications across multiple hosts, without having to manage each container directly. The developer describes the layout of the application across multiple containers, including details like how each container uses networking and storage. Kubernetes handles the rest at runtime. It also handles the management of fiddly details like secrets and app configurations.

The effect of having computer systems wirelessly or directly transmit data to the brain isn't known, but related technologies such as deep brain stimulation -- where electrical impulses are sent into brain tissue to regulate unwanted movement in medical conditions such as dystonias and Parkinson's disease -- may cause personality changes in users.  And even if BCIs did cause personality changes, would that really be a good enough reason to withhold them from someone who needs one -- a person with paraplegia who requires an assistive device, for example? As one research paper in the journal BMC Medical Ethics puts it: "the debate is not so much over whether BCI will cause identity changes, but over whether those changes in personal identity are a problem that should impact technological development or access to BCI". Whether regular long-term use of BCIs will ultimately effect users' moods or personalities isn't known, but it's hard not to imagine that technology that plugs the brain into an AI or internet-level repository of data won't ultimately have an effect on personhood.

With communication, previous attempts used infrared lights or radio waves, but if you have many robots in a small area, these signals can conflict. The MIT team instead created a cube devoid of arms, using inertial forces to move the robots. These forces are the result of a mass inside each cube that throw themselves against the side of the module, causing the block to rotate or move in 24 different directions, with there being six faces, the paper added.  "There's a relatively large field of other people building sort of similar robots," Romanishin said, "But the two main unique parts about our robots are how they move, which is using angular momentum from what we call a reaction wheel, and the way it uses magnets. It uses them in a special way that is potentially a really scalable and cheap solution for identifying hundreds of thousands of elements in a small space." "One of the big things that we looked at was how do you make the robots move relative to each other? It's a really challenging, from a design standpoint and a physics standpoint," Romanishin added. 

Regression testing process
In simple terms, regression testing can be defined as retesting a computer program after some changes are made to it to ensure that the changes do not adversely affect the existing code. Regression testing increases the chance of detecting bugs caused by changes to the application. It can help catch defects early and thus reduce the cost to resolve them. Regression testing ensures the proper functioning of the software so that the best version of the product is released to the market. However, creating and maintaining a near-infinite set of regression tests is not feasible at all. This is why enterprises are focusing on automating most regression tests to save time and effort. ... Whenever there is a change in the app or a new version is released, the developer carries out these tests as a part of the regression testing process. First, the developer executes unit-level regression tests to validate the code that they have modified along with any new test that is created to cover any new functionality. Then the changed code is merged and integrated to create a new build of AUT. After that, smoke tests are performed to assure that the build that we have created in the previous step is good before any additional testing is performed.

Object storage in the cloud: Is backup needed?

CSO > cloud computing / backups / data center / server racks / data transfer
How the replication works is also very different. Object replication is done at the object level vs the block-level replication of cloud block storage and typical RAID systems. Objects are also never modified. If an object needs to be modified it is just stored as a new object. If versioning is enabled, the previous version of the object is saved for historical purposes. If not, the previous version is simply deleted. This is very different from block storage, where files or blocks are edited in place, and the previous versions are never saved unless you use some kind of additional protection system. Cloud vendors offer object-storage services, which include Amazon's Simple Storage Service (S3), Azure’s Blob Store, and Google’s Cloud Storage. These object-storage systems can be set up to withstand even a regional disaster that would take out all availability zones. Amazon does this using cross-region replication that must be configured by the customer. Microsoft geo-redundant storage includes replication across regions, and Google offers dual-region and multi-region storage that does the same thing.

Massive Cyberattack Slams Country of Georgia

Massive Cyberattack Slams Country of Georgia
One obvious potential culprit for the attacks against Georgia would, of course, be Russia, which has previously launched politically motivated cyberattacks against the government sectors of former Soviet states, including Estonia. Georgia is a U.S. ally, and since 2011, it has been an "aspirant country" in terms of its potential membership in NATO. It's also been engaged in a months-long spat with Moscow. After a Russian legislator's address to the Georgian parliament triggered protests, Georgia on June 20 temporarily blocked all flights originating from Russia. In response, Russian President Vladimir Putin on June 21 ordered that starting July 8, Russian carriers were barred from operating flights between Russia and Georgia. The Monday cyberattack against Georgia echoes cyberattacks launched against the country in 2008, weeks before the country was invaded by Russia over Georgia's "breakaway provinces" of South Ossetia and Abkhazia. At the time, Moscow said it wasn't responsible for the cyberattacks, but it suggested that some Russian individuals may have been independently involved.

Lies programmers tell themselves

9 lies programmers tell themselves
Figuring out how to handle null pointers is a big problem for modern language design. Sometimes I think that half of the Java code I write is checking to see whether a pointer is null. The clever way some languages use a question mark to check for nullity helps, but it doesn’t get rid of the issue. A number of modern languages have tried to eliminate the null testing problem by eliminating null altogether. If every variable must be initialized, there can never be a null. No more null testing. Problem solved. Time for lunch. The joy of this discovery fades within several lines of new code because data structures often have holes without information. People leave lines on a form blank. Sometimes the data isn’t available yet. Then you need some predicate to decide whether an element is empty. If the element is a string, you can test whether the length is zero. If you work long and hard enough with the type definitions, you can usually come up with something logically sound for the particular problem, at least until someone amends the specs. After doing this a few times, you start wishing for one, simple word that means an empty variable.

Categorise Unsolved Problems in Agile Development: Premature & Foreseeable

Unsolved problems belong on the backlog. In theory, the Product Owner processes all backlog items, dismisses the irrelevant and prioritizes the most important ones into sprints, until the backlog is empty and the project is done. But in practice, that’s not what happens. The backlog just grows forever. It collects items that can wait, together with technical debt and hot potatoes which cannot simply be dismissed. To developers, the backlog is a spillway to keep their job doable. Agile says: whatever you don't know yet, or can do without for now, park it on the backlog, and forget about it. It will reemerge when needed. For the most part, this works. It is the power of Agile. But by the time unsolved problems reemerge, hot potatoes have become too hot to handle, and technical debt has become too expensive to repay. Implementation effort has grown far beyond the available resources. This can be prevented by adding some core insights and making a few small but essential changes to the Agile approach.

Quote for the day:

"Leaders dig into their business to learn painful realities rather than peaceful illusion." -- Orrin Woodward

Daily Tech Digest - October 29, 2019

As part of any good AI conversation, we have to consider the potential ramifications of an AI-based model. What are the true risks of harnessing AI to help defend ourselves in cyberspace? It is always possible to misuse the information a security system collects. It’s possible to program in unintentional bias. You could break things too much because AI told you to — or you could miss things because you trust your AI system to catch everything. Yet as a business community, we must confront these risks and design to prevent these outcomes. The need for more robust cybersecurity is too great. We simply need to be thoughtful in our approaches, develop and use ethical standards around how we leverage these new and evolving technologies, and, finally, use a trust but-verify-methodology as we look to mature our multilayered cyber-defense strategies. To do this, start by planning ahead and developing a framework for building AI that has preapproved controls in place. Building human review into the decision-making process can go a long way toward preventing major issues. You can also leverage some of the work already being done to manage insider threats and apply that to controlling runaway AI.

Accelerate will enable fintechs to be onboarded to Mastercard in a matter of weeks and provide a guided experience through everything the company can offer. Program participants are connected to relevant parts of the business, to integrate Mastercard’s proprietary technology, leverage its insights and cybersecurity services, engage new customers, and reach new markets and segments. In addition, Mastercard’s commitment to financial inclusion drives focused product development, helping co-create solutions that enable a more inclusive economy. “Mastercard Accelerate is a single doorway to the countless ways Mastercard can help fintechs all over the world grow and scale sustainably,” said Michael Miebach, chief product & innovation officer, Mastercard. “Fintechs are contributing to the rapid digital transformation that makes lives more convenient, simpler, and rewarding. We’re the partner of choice for the top Fintech brands worldwide, and with Accelerate we invite the next generation of global entrepreneurs to join us.” “And for our financial institution partners and customers, Mastercard Accelerate provides access to the next generation of innovators, with a portfolio of start-up partners and fintechs ready to co-create and collaborate on new experiences,” added Miebach.

The temptation to use automated support to cut time and costs comes at the risk of further alienating physicians and other clinicians through IT, rather than making their lives easier. Automation via tools like chatbots and self-service surely “roboticizes” interactions, resulting in a loss in human-to-human contact and a degrading of users’ relationships with the IT staff — and perhaps with the institution itself. Despite all the hype around AI and machine learning, perhaps these technologies will be best embraced by support teams as an extension of their personal services, designed first to enhance the customer experience and only secondarily to ease the support staff’s workload and/or cut costs. If we are smart, we should be able to create a balance between digital and human interaction. Even IT-resistant physicians are learning to appreciate digital solutions if they clearly bring ease and convenience.

broken window with windows logo in clouds
Microsoft warned us at the beginning of the Win10 onslaught four-plus years ago that it wouldn’t dole out patches one by one. Except for emergency security fixes, patches would be released as part of cumulative updates. Over the years, that promise has evolved into a common pace of two cumulative updates per month: the first on Patch Tuesday, and a second “optional, non-security” cumulative update sometime later in the month. It’s one of the ways “Windows as a service” is a service, doncha know. Last month we were treated to an unholy pileup of Windows security patches as Microsoft released, then re-released, then finally pushed a fix to the Internet Explorer zero-day vulnerability known as CVE-2019-1367. Of course, nobody’s seen any widespread exploits attributable to that security hole, but the bugs — three different sets of them, corresponding to the three botched out-of-band patches — were breathtaking. This month, it looks like we’re headed in a similar direction.

Part 1 — what can these three Silicon Valley AI startups do for your business? image
According to Harvard Business School professor Clayton Christensen, each year more than 30,000 new consumer products are launched and 80% of them fail. There is a clear disconnect between product companies and the market. How does it work? The machine learning, natural language processing and visual AI models developed by Commerce.AI analyses unstructured customer feedback or data in the form of text, image, voice and video from reviews, and social media to a lesser extent. “We take unstructured data and synthesise it using AI, NLP and visual AI to create product intelligence for approximately 56,000 product categories,” explained Pandharikar. ... It’s all about improving product development and management; using AI/ML to identify the features that are working and build that into the next product, while taking positive feedback from millions of reviews and using that in the next generation of products. “The old way was to make consumers buy products, now it’s about making products that consumers want,” said Pandharikar.

Speaking at TechCrunch Disrupt SF, Jeanette Manfra, the assistant director for cybersecurity for Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said that the agency was making training for new cybersecurity professionals a priority. “It’s a national security risk that we don’t have the talent regardless of whether it’s in the government or the private sector,” said Manfra. “We have a massive shortage that is expected that will grow larger.” Homeland Security is already responding, working on developing curriculum for potential developers as soon as they hit the school system. “We spend a lot of time invested in K-12 curriculum,” she said. The agency is also looking to take a page from the the tech industry’s playbook and developing a new workforce training program that’s modeled after how to recruit and retain individuals. For Manfra, it’s important that the tech community and the government agencies tasked with protecting the nation’s critical assets work more closely together

With the emergence and the implementation of blockchain technology in the Australian financial domain, developers and entrepreneurs can put their creative minds to good use and produce even more innovative games for gambling lovers. This has been brought up due to a well-known relationship between the total revenue and a notable contribution that gambling holds to it. Not only will the peer-to-peer gaming become a reality opening the door for mutual betting, decentralized lotteries and other categories of games, but Aussie high roller casinos will also benefit sizably. One of the main attractions of using Blockchain technology will be the improved degree of trust between players and operators. Every game rule, underlying code, and the outcome will be enabled to verification and thus, enhanced safety and security will be guaranteed. In addition, it will not be too big of a hurdle for Blockchain to gain support rapidly in Australia since many reputable online casinos allow Australian punters to wager, withdraw and deposit in bitcoins.

cybersecurity awareness month
“Lock your devices up. Make backups. Stay on top of your accounts.” – Ivanti Insider “Be vigilant and be up-to-date. Verify you're typing in the correct web address. Before you click anything in an email, verify the sender is who you think it is and the link/attachment is something they themselves sent. Verify that your antivirus products are up-to-date (and that you have one installed!) and scanning, and that your PC is staying up-to-date with patches. Most issues can be avoided by being careful to always visit legitimate sites, ensuring you aren't opening attachments from unknown individuals, by keeping your PC patched, and your antivirus up-to-date and performing regular scans.” – Kelly Ruston, Technical Support Specialist, William Osler Health System “When you are going to click a link on a webpage or an email, hover over the link first and check the bottom left of your browser to see if it will take you to the page you are expecting.” – Adam Howard, Systems Administrator, Rack Room Shoes

Linx prosthetic
We’re walking in all sorts of different terrains, and the body is naturally adjusting itself, and the way legs move so that you can get around with the least amount of energy possible. The Linx needs to accommodate changes to the environment in a biomechanical way so that users don’t exert so much energy. And that’s a difficult problem because you’re dealing with such a huge variation. If you imagine the activities of daily living — every move that you do — thousands and thousands of steps — how do you detect these changes and accommodate them? The way to do it is to integrate the components of the limb. Rather than looking at products or joints individually, you can leverage all that new information. And what you end up with is a leg which behaves in a much more natural way — able to predict and move in a coordinated way. That’s another important thing. And in our limbs, the movement is very coordinated. Essentially our microprocessor foot would be making its own decisions in complete awareness of what a microprocessor knee would be doing.

A failure to publish an event can mean critical failure to the business process. To explain the problem statement better, let’s consider a Student microservice that helps Enroll the student. After enrollment, the "Course Catalog" service, emails the student all the available courses. Assuming an Event-Driven application, the Student microservice enrolls the student by inserting a record in the database and publishes an event stating that the enrollment for the student is complete. ... This pattern provides an effective solution to publish events reliably. The idea of this approach is to have an “Outbox” table in the service’s database. When receiving a request for enrollment, not only an insert into the Student table is done, but a record representing the event is also inserted into the Outbox table. The two database actions are done as part of the same transaction. An asynchronous process monitors the Outbox table for new entries and if there are any, it publishes the events to the Event Bus. The pattern merely splits the two transactions over different services, increasing reliability.

Quote for the day:

"Leverage is the ability to apply positive pressure on yourself to follow through on your decisions even when it hurts." -- Orrin Woodward

Daily Tech Digest - October 28, 2019

A Century of Healthcare Data

Firstly, there is the length of time that patient data will have to be preserved. People are now living longer than ever before, and current UK legislation states that GP records must be retained for ten years after the death of a patient. This means healthcare data being created today may need to be kept on file for up to 100 years or more. Secondly, the rate of technological development means this data may also have to be migrated between formats multiple times over its lifespan – which is both labour-intensive and expensive. Data storage technology and organisational priorities will continue to evolve, while the data itself will typically come from various sources. As a result, healthcare organisations will face a huge amount of complexity when it comes to preserving data and making it accessible, on top of the growing costs involved as data scales. Medical organisations therefore need to ensure that their storage infrastructure provides the highest possible scalability, flexibility and portability – especially with data volumes becoming so vast that just migrating data from one format or provider to another can require significant investment. 

UN, UNICEF, Red Cross officials targeted in recent phishing campaign

united nations UN
"We can't speculate on attribution," Jeremy Richards, principal security researcher at Lookout, told ZDNet in an email this week. "The motive of the attack is to compromise Okta and Microsoft credentials to gain access to these accounts, which could be used for further attacks or intelligence gathering." A member of a human rights advocacy group told this reporter in an encrypted chat this week that organizations such as his or the ones listed in the Lookout report are often the targets of all sorts of groups. State-sponsored groups want to breach human rights organizations to learn of any ongoing investigations, to track local or abroad whistleblowers, or gain intelligence on organization members to harass them at later points. Similarly, human rights groups are also regularly targeted by regular financially-motivated hackers, such as BEC (business email compromise) scammers, who want to hijack payments or steal funds. "It's no difference to them if we're a hardware vendor or NGO. All they want is the money," our source told us.

The best free photo editor 2019

The best free photo editor
There are dozens of free photo editors out there, so we've hand-picked the very best so you can make your pictures look amazing without paying a penny. Of course, if you're able to wait until Black Friday and Cyber Monday, you'll almost certainly be able to find a great deal on a premium photo editor like Adobe Photoshop, but there's plenty of choice out there if you can't wait that long. We've spent hours putting a huge range of photo editors to the test, and picked out the best ones for any level of skill and experience. From powerful software packed with features that give Photoshop a run for its money to simple tools that give your pictures a whole new look with a couple of clicks, there's something for everyone. Many free photo editors only offer a very limited selection of tools unless you pay for a subscription, or place a watermark on exported images, but none of the tools here carry any such restrictions. Whichever one you choose, you can be sure that there are no hidden tricks to catch you out.

AI Policies Are Setting Stage To Transform Healthcare But More Is Needed

The President signed an Executive Order in February 2019 setting the tone for improved data connectivity and stronger public-private partnerships to spark new products in the marketplace and inspire entrepreneurs. It highlights the need for better ways to connect the vast amounts of data that need to be sorted and ultimately harnessed for patients’ benefit. The Initiative mandates that heads of government research agencies like the National Institutes of Health (NIH) develop and identifying new AI programs, explore collaborations with the private sector and help train new generations of data scientists. AI hungers for data and the Initiative helps focus efforts on better methods to connect the countless dark pockets that are inaccessible or hoarded by some organizations. Connectivity is a considerable problem. Healthcare data is expected to double three times each year, leading to zettabytes of information which is utterly impossible to process using historical standards.

Why good strategies fail

Much has been written in management books, white papers, and news articles about how to craft a winning strategy. Scholars, strategy executives, management consultants, and business gurus alike, all have a formula for how to identify opportunities to advance an organization’s aspiration, architect a plan of attack, orchestrate resource allocation, and coordinate execution of priority initiatives. Developing a well-crafted strategy takes time, effort, money, intellectual commitment, and political capital. If you have ever led or participated in a strategic planning process, you know the drill. But what happens when your strategy doesn’t work as intended? What happens when your strategy falls short of delivering the expected results? The question of "why isn’t my strategy working?" is asked more often than many executives would like to admit. Yet, there is very little in the strategy literature that can help companies troubleshoot their strategy execution, isolate the causes of friction, and deploy mitigating and corrective actions. In this article, we aim to bridge that gap. We explore three critical strategic tensions—incoherence, incongruence, and inconsistency—their root causes, how to identify them, and how to make sure that they don’t prevent your strategy from realizing its full potential.

Psst! Wanna buy a data center?

data center / server racks / connections
Since then there have been numerous sales of data centers under better conditions. There are even websites that list data centers for sale. You can buy an empty building, but in most cases, you get the equipment, too. There are several reasons why, the most common being companies want to get out of owning a data center. It's an expensive capex and opex investment, and if the cloud is a good alternative, then that's where they go. But there are other reasons, too, said Jon Lin, president of the Equinix Americas office. He said enterprises have overbuilt because of their initial long-term forecasts fell short, partially driven by increased use of cloud. He also said there is an increase in the amount of private equity and real estate investors interested in diversifying into data centers. ... Enterprises do look to sell their data centers, but it's a more challenging process. She echoes what Lin said about the problem with specialty data centers. "They tend to be expensive and often in not great locations for multi-tenant situations. They are often at company headquarters or the town where the company is headquartered. So they are hard to sell," she said.

How 5G Will Revolutionise Retail Payments

The launch of 5G will provide more internet access, currently there is only a 49% global internet penetration. This will lead to more online consumers worldwide and create even faster websites. Broken down this is a 10X decrease in latency and up to 100X more network efficiency. Advancements with 5G will allow for easier online shopping experiences to an even broader spectrum of digital consumers. In fact, Adobe reports 5G will boost e-commerce revenue by $12 billion by 2021. Offering mobile adapted e-wallets will prepare retailers to take advantage of this trend. After 5G, consumers will truly be able to pay and shop wherever and whenever they want to, with little resistance and receive instant confirmation of their purchases. Merchants should see a boost in revenue due to even more seamless mobile shopping. A combination of merchant and shopper apps and faster 5G speeds will cause consumers to naturally move towards mobile commerce.

The rise of the platform economy in financial services

Industry 4.0 promises to herald in a new era of platform players delivering products and services designed to accurately meet the personalized needs of customers in a more tailored way throughout their lives. So what’s the perspective of Xavier Gomez @Xbond49 on this new era? “PSD2 rules clearly push banking sectors to renovate the customers relationship (B2B and B2C) for lower cost. The first wave of APIs in Europe was disappointing in terms of quality of data provided. Why? Banks produce a lot of data but they do not know how to use and leverage it unlike the GAFA. Open banking is an opportunity to build new banking services that are customizable to customers thanks to the “platformization” concept. Banks can apply a digital transformation policy by rebuilding a new IT core banking system (open source), by integrating fintech solutions and collaborating with start-ups.”

Nasty PHP7 remote code execution bug exploited in the wild

The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites. The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. "The PoC script included in the GitHub repository can query a target web server to identify whether or not it is vulnerable by sending specially crafted requests," says Satnam Narang, Senior Security Response Manager at Tenable. "Once a vulnerable target has been identified, attackers can send specially crafted requests by appending '?a=' in the URL to a vulnerable web server." ... But there are also website owners who cannot update PHP or can't switch from PHP-FPM to another CGI processor due to technical constraints.

Facebook alters video to make people invisible to facial recognition

Facebook’s approach pairs an adversarial autoencoder with a classifier network. As part of training of the network, researchers tried to fool facial recognition networks, Facebook AI Research engineer and Tel Aviv University professor Lior Wolf told VentureBeat in a phone interview. “So the autoencoder is such that it tries to make life harder for the facial recognition network, and it is actually a general technique that can also be used if you want to generate a way to mask somebody’s, say, voice or online behavior or any other type of identifiable information that you want to remove,” he said. Like faceswap deepfake software, the AI uses an encoder-decoder architecture to generate both a mask and an image. During training, the person’s face is distorted then fed into the network. Then the system generates distorted and undistorted images of a person’s face for output that can be embedded into video.

Quote for the day:

"Being honest and open is the only way to convince cynical employees that you truly want to establish a partnership with them." -- Florence M. Stone

Daily Tech Digest - October 26, 2019

Scammers are targeting Cash App users hoping for free money

On Instagram, hopeful entrants leave comments on Cash App Instagram posts. Scammers then jump on these posts using fake accounts pretending to be the legitimate firm, such as one named $cshfridayoffical, and request money for verification purposes. As an example, users would be asked to send $10 or $20 in order to claim $500. Other fraudsters take another approach. Rather than targeting #CashAppFriday directly, they will look for commenters and follow them, hoping to entice users into fake cash flipping scams. These cash 'flippers' claim they can turn small amounts of money into far larger amounts -- such as $7 into $120 -- and may also use limited-time only deal offers to ensnare Instagram users. In one example, a user under the name "Money Flip Queen" said that participants in cash flipping needed to have at least $25 stored in Cash App or a bank account. Likely doctored images displayed on the profile apparently show the successful money flips, and given this incentive, it is possible some fall for the ploy.

Cisco Networking Trends Report: ‘Intent-Based Networking Is Coming’

Cisco Networking Trends Report: ‘Intent-Based Networking Is Coming’
The survey found maximizing business value to be IT’s No. 1 priority with 40% of respondents naming it their top concern. But seeing the top of the mountain is one thing, and getting up there is another. In order to maximize business value, IT teams will require greater insight into data along with the right tools. “That’s why IT teams are embracing intent-based networking, AI and machine learning — because the business demand it,” said Scott Harrell, SVP and GM of Cisco enterprise networking, in a statement. ... Simply put: IT operators need visibility into both the network and its data, and Cisco expects IBN to pick up where SDN left off in providing a feedback loop that can indicate what is or is not working, and why.  The idea is that SDN provides a natural, solid foundation for an IT infrastructure evolution where added DevOps capabilities will afford network operators more control over network operations. IBN comes into play to close the feedback loop and “unlock the potential and intelligence to the data that the network and infrastructure provides.”

Lawyers of the world: Robots aren't replacing you--yet

Lillquist believes there is a role for AI in law practices. "AI will continue to transform the practice of law," he said. "Rather than replacing jobs, it will instead require lawyers to develop an increasing number of skills in order to make use of the latest technologies and maintain a competitive edge. These potential changes are an opportunity for lawyers. They will be able to leverage AI-enabled legal tech solutions that can help them complete more work at a higher degree of accuracy, freeing up time to focus on more meaningful work that can create greater value for their companies or clients. "AI will continue to take on repetitive tasks of increasing complexity, especially in data extraction, requiring that new systems be built in order to exact value out of new kinds of data. Lawyers will be responsible for working with technology to train it on datasets and law's nuances. Deep legal expertise is required to create technology that successfully operates in the legal space, and that knowledge resides in humans. We will probably also see a redefinition of what it means to be a lawyer, and what it means to work at a law firm or as an in-house counsel."

DARPA is betting on AI to bring the next generation of wireless devices online

The demand for spectrum has grown to the point that the wastefulness of this arrangement is becoming untenable. Spectrum is not only shared by commercial services; it also supports government and military communication channels that are critical for conducting missions and training operations. The advent of 5G networking only ups the urgency. ... To tackle this challenge, DARPA asked engineers and researchers to design a new type of communication device that doesn’t broadcast on the same frequency every time. Instead, it uses a machine-learning algorithm to find the frequencies that are immediately available, and different devices’ algorithms work together to optimize spectrum use. Rather than being distributed permanently to single, exclusive owners, spectrum is allocated dynamically and automatically in real time. “We need to put the world of spectrum management onto a different technological base,” says Paul Tilghman, a program manager at DARPA

Cyber in construction: Why cybersecurity should be in the blueprints

Employees and contractors commonly use project management software to track job status and collaborate with external vendors. Highly confidential plans, blueprints, bids, financial information, and even personally identifiable information (PII) – like full names and social security numbers – can be stored within these systems. As you can imagine, this data is a gold mine for cyber criminals, ensuring they are properly secured at all times should be top priority. It’s imperative for construction companies to take inventory of this data. Know exactly what information you have, where it’s stored, and who exactly has access to this information. Securing data on secure servers or in the cloud is ideal, to ensure that your on-the-go team is not saving confidential information on their hard drives or personal devices. Globally, the average cost of a data breach can cost a company $3.9 million dollars. In addition to the financial loss, companies face long-term effects such as lost business and bad press coverage – a large data breach can tarnish a reputation within the industry.

Face It -- Biometrics To Be Big In Cybersecurity

Authenitication by facial recognition concept. Biometrics. Security system.
The engineers at Google are bringing second generation FIDO protocols to every Android smartphone running software version 7.0 or above. The software will begin rolling out to devices over the next few days in an over-the-air update. The attraction is users will simply register their login credentials with websites and applications once, then the biometric information will supersede usernames and passwords. Fingerprint information is never stored on Google servers. It is maintained cryptographically on the device. This is a big deal. There are 2.8 billion Android users worldwide. Forbes calculates that 1.7 billion users will get the FIDO2 update. And FIDO2 is already supported across all of the leading internet browsers, including Google Chrome, Microsoft Edge, Firefox and Apple Safari. This follows a decision by Microsoft in 2018 to bring the same capability to 800 million Windows users through its Hello login. Faster, more secure logins make life easier for users. However, the real benefit accrues to enterprises, financial institutions, telecoms, insurance, and the government. Better authentication speeds ecommerce and banking transactions.

The IoT could provide a model for improved internet security

While the Internet of Things (IoT) undoubtedly creates potential risks – especially when it comes to the number of internet-facing endpoints potentially vulnerable to attackers – the risk is a known quality, so it can also be dealt with in a way which, if applied correctly, could improve internet security. That's because, Martin suggested, the way the internet currently operates creates security risks for users. "We're moving away from an internet economy where people give away large amounts of personal data for free in order to get services they don't have to pay for with money – which isn't very good for security – towards a model where people will be paying for products and services". That, he argued, "gives us an opportunity to introduce objective standards that consumers and businesses can judge when buying those products and services". The NCSC has already worked alongside the Department for Culture, Media and Sport to produce guidelines for IoT device manufacturers designed to ensure that products are secure and easy to update.

3 steps to reskilling in the digital era that no leader can afford to miss

3 steps to reskilling in the digital era that no leader can afford to miss
Projections of 40-50% of jobs in the manufacturing or transportation industry being potentially done by robots in the next 15 years are accurate, but they don’t consider that most new employment opportunities at the time will be in job categories that don’t exist today. After all, jobs like ethical hacker or data scientist didn’t exist until recently. In the workforce of the future, the warehouse operator will likely not just direct operations, but also manage algorithms that run the robots. The accountant and call center agent will be freed of the drudgery of data entry and physical paperwork by robots, and take over the higher-order decision-making that the robots cannot do. The upshot is that working with technology is becoming commonplace in every function in the enterprise. The distinction between technology “developers” and “users” is becoming increasingly blurred. Technology such as “low-code” and “no-code” software development allows employee profiles that may have been thought of as “users” of systems to also be “developers” of software.

Congress Grills Facebook's Zuckerberg on Cryptocurrency Plans

Congress Grills Facebook's Zuckerberg on Cryptocurrency Plans
"Facebook's plans to create a digital currency, Libra, and a digital wallet, Calibra, raise many concerns relating to privacy, trading risks, discrimination, opportunities for diverse-owned financial firms, national security, monetary policy and the stability of the global financial system," Waters said. Zuckerberg received a warmer reception from some of the Republicans on the committee, who praised the Facebook CEO for attempting innovation in the payments industry. Rep. Patrick McHenry, R-N.C., the ranking Republican on the committee, used his opening statement to make the case for more of these types of experiments. "American innovation is on trial today in this hearing," McHenry said. Later in the hearing, Republican Roger Williams of Texas said: "I do admire people in our capitalist system here that are disruptors ... that [they] find the weakness and try to exploit it with a new product that's better for consumers." But committee members from both parties raised questions about why the Libra Association, which would oversee the virtual currency, is located in Switzerland when it plans to comply with U.S. financial regulations.

Q&A on the Book: The Technology Takers – Leading Change in the Digital Era

The balance of power has shifted between companies and customers. Customer demands have changed, not due to direct competitors, but due to customer experience in other industries. The global dominance of smartphone processes has caused consumers to expect choice.  For example, faced with shifting consumer demand, McDonald’s has started eliminating its proprietary technologies for over-the-counter and drive-up window ordering. Customers can now use self-service technology to customize their McDonald’s hamburger – instead of going across the street to the competition. Technology-taking managers have access to real-time data about business operations. Coupled with effective analysis, these data can help managers test assumptions and develop new hypotheses. Scania, a truck manufacturer, recognized the importance of data in transportation. In Europe, a truckload of 60% capacity is typical. Scania has built an international database to improve fleet management by tracking speed, fuel use, engine performance and driving technique, enabling their clients to improve fill rates and reduce costs.

Quote for the day:

"Most people who sneer at technology would starve to death if the engineering infrastructure were removed." -- Robert A. Heinlein

Daily Tech Digest - October 24, 2019

Developers: The Cause of and Solution to Security's Biggest Problems

"Investing in bringing developers on those security teams can help them build things that are going to be directly consumed by engineers," Lackey says. He is far from an outlier in this view that security needs to hire more developers. Hit up security and DevOps conferences today, and you'll increasingly run across security managers who are pushing hard for the industry to prioritize development experience. "I only hire developers; I don't hire security people anymore," says John Melton, application security senior manager at Oracle NetSuite. "If you're a security person and you can't code, you should learn how, or you should hire people on your team who know how to code." As Melton explains, the lack of development knowledge is endemic in the security world, and it's hurting security teams in so many ways. He's far from the only one to voice those concerns. According to Larry Maccherone, who runs the DevSecOps transformation at Comcast as senior director in the technology and product division's security and privacy group, a lack of developers on security teams does the most damage to the team's credibility.

Google CEO Sundar Pichai on achieving quantum supremacy

Google wouldn’t be here today if it weren’t for the evolution we have seen in computing over the years. Moore’s Law has allowed us to scale up our computational capacity to serve billions of users across many products at scale. So at heart, we view ourselves as a deep computer science company. Moore’s Law is, depending on how you think about it, at the end of its cycle. Quantum computing is one of the many components by which we will continue to make progress in computing. The other reason we’re excited is—take a simple molecule. Caffeine has 243 states or something like that. We know we can’t even understand the basic structure of molecules today with classical computing. So when I look at climate change, when I look at medicines, this is why I am confident one day quantum computing will drive progress there. ... For example, us building our own data centers is what allowed us to build something like TPUs, which makes our algorithms go faster. So it’s a virtuous cycle.

How to secure, manage and monitor edge devices

How to secure, manage and monitor edge devices image
How can organisations secure their edge devices, which allows enterprises to take steps towards the real-time and proactive management of applications? From Nick Dawson‘s perspective, security needs to be embedded in the actual compliance. “It needs to be a fundamental part of the DNA of any given device,” he said. However, there needs to be a mindset shift. Users and business partners tend to think of smartphones as the most important device that should be protected. But, in reality, a smart toaster of fish tank could provide a route in for hackers. “Any appliance that is connected to a network must have security built into it,” Dawson continued. ... As organisations see the proliferation of different types of devices, with more connected endpoints out there on the network, one of the challenges is being able to monitor it all — “how do I ensure that everything is doing what it’s supposed to do,” asked Dawson? For large multinational companies, there are lots of individuals with different skill sets who can’t all be up 24 hours a day.

FTC bans Retina-X from selling creepy stalkerware

The settlement resolves allegations that these apps compromised the privacy and security of the consumer devices on which they were installed. … The FTC alleges that Retina-X and Johns developed three mobile device apps that allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device’s user.… Retina-X sold more than 15,000 subscriptions to all three stalking apps before the company stopped selling them. … While Retina-X claimed in its legal policies that the apps were intended for monitoring employees and children, Retina-X did not take any steps to ensure that its apps were being used for these purposes. … At the same time, devices on which the apps were installed were exposed to security vulnerabilities. The FTC also alleges that Retina-X and Johns failed to adequately secure the information collected from the mobile devices. [It] failed to adopt and implement reasonable information security policies and procedures, conduct security testing on its mobile apps, [or] conduct adequate oversight of its service providers.

Cisco issues critical security warning for IOS XE REST API container

secure system / network security policy management
With the vulnerability an attacker could submit malicious HTTP requests to the targeted device and if successful, obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device, the company said. According to Cisco the REST API is an application that runs in a virtual services container. A virtual services container is a virtualized environment on a device and is delivered as an open virtual application (OVA). The OVA package has to be installed and enabled on a device through the device virtualization manager (VMAN) CLI. The Cisco REST API provides a set of RESTful APIs as an alternative method to the Cisco IOS XE CLI to provision selected functions on Cisco devices. ... Cisco said it has released a fixed version of the REST API virtual service container and a hardened IOS XE release that prevents installation or activation of a vulnerable container on a device. If the device was already configured with an active vulnerable container, the IOS XE software upgrade will deactivate the container, making the device not vulnerable.

Machine teaching, LUIS and the democratization of custom AI with Dr. Riham Mansour

The goal of machine teaching and traditional machine learning is to build an accurate model. Same goal, right? So a user who’s using either, would have the goal in mind to build a model, a good model, right? But then, the ‘what’ and ‘how’ is what’s different. So usually to build any model from data you need to have some knowledge that exists somewhere. In machine teaching, it’s about extracting the knowledge from the teacher, so it has the human-in-the-loop providing the necessary knowledge about the domain, so that we can build an AI model specific to that domain. Traditional machine learning is about extracting knowledge from data. So, using the compute power to extract the knowledge from huge amounts of data, and that’s where deep learning and other key words, transferred learning, come into play. So when and why machine teaching can be useful, I would say, in situations where there isn’t enough labeled data already available ...

Achieving a data-centric approach to security requires homomorphic encryption

A data-centric approach to security requires homomorphic encryption image
Real-time homomorphic encryption — the ability to perform mathematical functions on data and get search queries back without decrypting it — is a solution that fosters a data-centric approach to security. With this technology, where ShieldIO is a pioneer, “privileged and non-privileged users can get value from the encrypted data in real-time, without seeing, exposing or decrypting the actual data,” said Jennings. ... Users need to do their job, but it’s important that blockers don’t get in the way, in the name of security. Security needs to be efficient, but it should run in the background and not interfere with users doing their job. “Our job is to make security as easy and secure as possible and not get in the way of people’s jobs,” confirmed Jennings. This can be achieved by enabling; access to encrypted data in-use, development test environments to use real data without exposing live data, real-time speed of query on a fully encrypted dataset and, a simple, fast and transparent data security implementation through standard database drivers.

ServiceNow under Bill McDermott: What you can expect

For ServiceNow to grow significantly acquisitions are likely. ServiceNow's category expansions are notable, but purchases could accelerate those moves. McDermott led a series of SAP acquisitions as it transitioned to the cloud. Wood said: McDermott has the experience, background and network to 1) heavily recruit sales talent to backfill any attrition and put together sales leadership that can run enterprise sales operations at scale (maybe second only to Keith Block in this last regard); and 2) effectively on-board new acquisitions in order to help ServiceNow enter new markets and scale in size (much like SAP, Oracle and Salesforce have done). Sarah Hindlian, an analyst at Macquarie Capital, noted that SAP is a large ServiceNow customer and the companies have grown closer. What if ServiceNow and McDermott wound up back at SAP? Stranger things have happened. ... Hindlian also argued that McDermott is also likely to expand ServiceNow's global profile. ServiceNow doesn't have the global experience yet and McDermott has a global contact list and is used to chasing big multinational companies.

New security alliance wants to build strong defense against cyber-physical attacks on IoT devices

As the Industrial Internet of Things digitizes more and more manufacturing processes, security risks from the IT world are reaching into operational technology as well. Operational technology (OT) includes the hardware and software that manage processes of physical devices such as valves, pumps, sensors, cameras, electronic locks, and thermostats. Until recently, these technologies have not generated data for business use and OT traditionally has not been part of an IT department's responsibilities. OT systems typically have relied on physical security and have ensured high availability at the expense of confidentiality and integrity. As more of these processes and devices are connected to the Internet, that opens up OT systems to cyber attacks.  In a report on the digitization of the oil and gas industry, EY Global found that the convergence of the IT and OT environments has created new cyber-physical risks: "... network connected endpoint devices such as unmanned vehicles, smart sensors, handheld engineer terminals and industrial routing equipment are being produced and deployed without a cybersecurity baseline implementation and are open to remote compromise."

Why Organizations Must Quantify Cyber-Risk in Business Terms

Security leaders can learn from other industries about how to quantify risk in business terms, like financial services, which has been out in front when it comes to managing risk. People don't let banks manage their life savings if they don't understand the risks and guard against losses. Financial services and cybersecurity aren't that dissimilar. Both feature increasingly complex systems and could suffer catastrophic damage in the event of failures that can cascade out into entire industries and geographies. Cyber-risk varies depending on the type of organization affected and the potential harm. Two examples of cyberattacks that pose significant risk have targeted industries that are critical to the functioning of civil society. In 2015 and 2016, Ukraine's power grid was disrupted by nation-state attacks. Just recently, US officials revealed a much less serious cyberattack in March that briefly affected a grid control center and small power generation sites in California, Utah, and Wyoming.

Quote for the day:

"A leader is one who knows the way, goes the way, and shows the way." -- John C. Maxwell