Daily Tech Digest - October 02, 2019

U.S. Government Confirms New Aircraft Cybersecurity Move Amid Terrorism Fears

US-POLITICS-VOTE-TRUMP
Modern aircraft are essentially “flying data centers in the sky,” says Ian Thornton-Trump, security head at AMTrust Europe. “It's natural for the Air Force to apply its cyber defensive and offensive skills in order to insure the logistical and refuelling fleet is robust when it comes to physical and cybersecurity. I believe this is a great idea and the Airforce is about to pick up the cybersecurity ball after the FAA–for a lot of reasons–either dropped it or had it taken away.” He points out that the Airforce's mission of “fly, fight and win in air, space and cyberspace”’ cannot be achieved “if the civilian platforms they have prove vulnerable to cyberattack.” It’s a major issue—The consequences of cyberattacks targeting commercial aircraft could be “devastating” and put peoples’ lives in danger, says Andrea Carcano, co-founder of Nozomi Networks. “Airlines therefore need to develop security strategies where vulnerabilities are monitored and mitigated continuously.”



Why military minds should fill cybersecurity seats on corporate boards

Well this is not about appointing somebody to go through the techno-babble or the IT geekiness of it. It's really about understanding operational risk, and this is where veterans can come into play because veterans at a lot of levels, but really at the senior officer levels, understand operational risk and mission risk to mission. They're trained to understand technical issues. I'll take my background, for example, is with the US Navy. Ships are complex machines; they are whole mechanical and electrical systems. There are systems of systems that are embedded within these ships, and so it doesn't matter what your job is on board, you understand technical issues, and you understand how those systems play with each other to carry the whole. And so it's all about operational risk, and the senior ranks have extensive planning and strategy, the decision making experience that could benefit the board's oversight role. And again, getting back to the information and risk part, understanding and mitigating risks to the mission is a core competency in the military.


Singapore online falsehoods law kicks in with details on appeals process


The legislation was mooted as a way to"protect society" against online false news created by "malicious actors", which the Law Ministry said could be used to divide society, spread hate, and weaken democratic institutions. The government, however, was urged to make key amendments to better reassure the public it would not be used to stifle free speech, with several arguing that the act provided the government "far-reaching powers" over online communications. Industry players and observers expressed concerns the law would afford the Singapore government "full discretion" over whether a piece of content was deemed true or false. Under POFMA, two criteria requirements must be met for the law to apply: there must be a false statement of fact and it must be in the public interest to act. It also does not cover criticisms, satire or parody, and opinions. Comments on falsehoods also are excluded, though, the Law Ministry has cautioned that "care" should be exercised to "avoid repeating" the falsehood. It also assures that the act will not be used to punish people for sharing falsehoods "in ignorance [and] good faith".


The Inestimable Values of an Attacker's Mindset & Alex Trebek

(Image: Olga via Adobe Stock)
For three years, Pardee performed network analysis to include target characterization, exploitation usage, documentation, and exploit planning to help the intelligence agency extract insights from targets. Yet he'd begun as an electrical engineering major, with dreams of working on mobile communications, and was initially hired by NSA to work on power distribution logistics. Pardee didn't have any training on cyberattacks or defense. What he did have was a strong set of critical thinking, logic, and problem-solving skills – a highly translatable skillset that was further honed by his NSA work. The agency trained him on the rest. "Looking back on it, I got a lot of interesting classes and experiences there to learn about security from the other side first. Everything was taught through an attacker's lens," he says. "Now, as I've continued my career, I see how valuable that is.” Many IT professionals, he explains, will begin their careers learning about the right way to do things.


Here's What Hackers Don't Want You to Know


It's not enough to just set up a segmented network and forget about it. Security isn't a set-it-and-forget-it proposition. It requires constant monitoring, scrutiny, and support. Your CSO has to inspect the logs every day to ensure everyone who has gained access to the network is supposed to be there. Your CSO has to ensure that everyone who has access to the network only has access to what they need and nothing more. Your CSO has to ensure that people are changing their passwords on a regular basis, not using those passwords anywhere else, and using passwords with the proper amount of complexity. This, of course, means that your summer intern can't serve as your company's CSO. Neither can Bob in the accounts receivable department. You have to have someone whose dedicated job is to maintain the security in your network. If you have a small-to-medium-size business and you can't afford this, hiring a third party to manage this for you is probably going to be your best option.


Serverless Security Threats Loom as Enterprises Go Cloud Native

Serverless Security Threats Loom as Enterprises Go Cloud Native
As companies start using new cloud-native technologies including serverless functions, they also need to update their understanding of security threats and how to implement the right security controls. The study found that API-related vulnerabilities are the top threat concern (63% of respondents) when it comes to serverless usage within organizations. An example of this threat is attackers misusing privileged accounts to execute serverless functions. “So even though we are talking about something new,” Cahill said, referring to serverless, “the attack vectors and methods are old methods applied to a new technology. So we should always be thinking about how privileged accounts are being used. We want to make sure we implement a least-privilege model” to restrict access for accounts to only the resources required to perform routine, legitimate activities. Another example, he said is fuzzing, “which is basically putting in parameters at the end of an API call as a way to take over the API call.”


Intel proposes new SAPM memory type to protect against Spectre-like attacks

cpu processor
Researchers say their "proposal provides more flexibility to software" by moving most of the mechanism that prevents speculative execution attacks at the hardware level. The idea is that most speculative execution side-channel attacks can be split into two parts: the "frontend" part of the exploit code, and its "backend." Intel STORM researchers say the second part (backend) of most speculative execution attacks performs the same actions. SAPM was designed to introduce hardware-based protections against the backend part of most attacks. It's because of this concept that Intel's research team believes that SAPM will also future-proof the next generations of Intel CPUs against other -- currently undiscovered -- speculative execution attacks. But the idea of introducing new mitigations will always raise questions about reducing CPU performance. Intel STORM researchers don't deny that there's a performance hit; however, this impact is low and could be mitigated further by dropping other existing protections.


Automation with intelligence


Organisations believe they can transform their business processes, achieving higher speed and accuracy by automating decisions on the basis of structured and unstructured inputs. They expect an average payback period of 15 months – and in the scaling phase just nine months. Process fragmentation – the way in which processes are managed in a wide range of methods – is seen by 36 per cent of survey respondents as the main barrier to the adoption of intelligent automation. IT readiness is considered the main barrier by 17 per cent of organisations. ... almost two-thirds of organisations have not considered what proportion of their workforce needs to retrain as a result of automation. Even organisations that have automated at scale (51+ automations) are not yet thinking about this, with 53 per cent stating that they have not yet explored whether their workforce needs to reskill as a result of their automation strategy. Reskilling based on how the human workforce will interact with machines, including changes to role definitions, should be baked into organisations’ plans for intelligent automation adoption in order to leverage the expected capacity enhancement.


Is Swarm AI the answer to fears over AI and jobs?

Is Swarm AI the answer to fears over AI and jobs? image
Swarm AI is a technology developed by Unanimous AI. A previous study, conducted at Stanford University School of Medicine, looked at groups of radiologists using Swarm AI to collaboratively diagnose chest x-rays. Published results showed a 33% reduction in diagnostic errors when using Swarm AI. Compare this finding with the results of another study showing AI can match humans in disease diagnosis. It seems that AI is powerful, but in combination with humans, more so. But add to the mix, AI being used to help humans more effectively collaborate — and the end result could be formidable indeed. In another recent study, business teams were tested on a standard IQ test using Swarm AI and were shown to increase their effective IQ by 14 points. The latest study looking at Swarm AI, this time produced in conjunction with the California Polytechnic State University, found “AI technology modelled on biological swarms could be used to accurately predict which business teams would be high performing based on the personality of the individual members.”



Developed together with industry partners, Teo said the OT cyber security masterplan will guide the development of capabilities to secure systems in an OT environment and mitigate emerging threats to those systems. He added that the masterplan has outlined plans to train more OT cyber security professionals with advanced cyber security skills, and to establish an OT cyber security information sharing and analysis centre with the Global Resilience Federation (GRF). Managed by the Asia-Pacific business unit of GRF, the centre will serve as a threat information sharing hub for companies in energy, water and other CII sectors in Singapore. “Singapore offers a strong economy, a highly educated workforce, a central location, and an environment friendly to trade and investment,” said Mark Orsi, president of GRF.



Quote for the day:


"Integrity is the soul of leadership! Trust is the engine of leadership!" -- Amine A. Ayad


No comments:

Post a Comment