Daily Tech Digest - October 24, 2019

Developers: The Cause of and Solution to Security's Biggest Problems


"Investing in bringing developers on those security teams can help them build things that are going to be directly consumed by engineers," Lackey says. He is far from an outlier in this view that security needs to hire more developers. Hit up security and DevOps conferences today, and you'll increasingly run across security managers who are pushing hard for the industry to prioritize development experience. "I only hire developers; I don't hire security people anymore," says John Melton, application security senior manager at Oracle NetSuite. "If you're a security person and you can't code, you should learn how, or you should hire people on your team who know how to code." As Melton explains, the lack of development knowledge is endemic in the security world, and it's hurting security teams in so many ways. He's far from the only one to voice those concerns. According to Larry Maccherone, who runs the DevSecOps transformation at Comcast as senior director in the technology and product division's security and privacy group, a lack of developers on security teams does the most damage to the team's credibility.



Google CEO Sundar Pichai on achieving quantum supremacy

Google wouldn’t be here today if it weren’t for the evolution we have seen in computing over the years. Moore’s Law has allowed us to scale up our computational capacity to serve billions of users across many products at scale. So at heart, we view ourselves as a deep computer science company. Moore’s Law is, depending on how you think about it, at the end of its cycle. Quantum computing is one of the many components by which we will continue to make progress in computing. The other reason we’re excited is—take a simple molecule. Caffeine has 243 states or something like that. We know we can’t even understand the basic structure of molecules today with classical computing. So when I look at climate change, when I look at medicines, this is why I am confident one day quantum computing will drive progress there. ... For example, us building our own data centers is what allowed us to build something like TPUs, which makes our algorithms go faster. So it’s a virtuous cycle.


How to secure, manage and monitor edge devices

How to secure, manage and monitor edge devices image
How can organisations secure their edge devices, which allows enterprises to take steps towards the real-time and proactive management of applications? From Nick Dawson‘s perspective, security needs to be embedded in the actual compliance. “It needs to be a fundamental part of the DNA of any given device,” he said. However, there needs to be a mindset shift. Users and business partners tend to think of smartphones as the most important device that should be protected. But, in reality, a smart toaster of fish tank could provide a route in for hackers. “Any appliance that is connected to a network must have security built into it,” Dawson continued. ... As organisations see the proliferation of different types of devices, with more connected endpoints out there on the network, one of the challenges is being able to monitor it all — “how do I ensure that everything is doing what it’s supposed to do,” asked Dawson? For large multinational companies, there are lots of individuals with different skill sets who can’t all be up 24 hours a day.


FTC bans Retina-X from selling creepy stalkerware

The settlement resolves allegations that these apps compromised the privacy and security of the consumer devices on which they were installed. … The FTC alleges that Retina-X and Johns developed three mobile device apps that allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device’s user.… Retina-X sold more than 15,000 subscriptions to all three stalking apps before the company stopped selling them. … While Retina-X claimed in its legal policies that the apps were intended for monitoring employees and children, Retina-X did not take any steps to ensure that its apps were being used for these purposes. … At the same time, devices on which the apps were installed were exposed to security vulnerabilities. The FTC also alleges that Retina-X and Johns failed to adequately secure the information collected from the mobile devices. [It] failed to adopt and implement reasonable information security policies and procedures, conduct security testing on its mobile apps, [or] conduct adequate oversight of its service providers.


Cisco issues critical security warning for IOS XE REST API container

secure system / network security policy management
With the vulnerability an attacker could submit malicious HTTP requests to the targeted device and if successful, obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device, the company said. According to Cisco the REST API is an application that runs in a virtual services container. A virtual services container is a virtualized environment on a device and is delivered as an open virtual application (OVA). The OVA package has to be installed and enabled on a device through the device virtualization manager (VMAN) CLI. The Cisco REST API provides a set of RESTful APIs as an alternative method to the Cisco IOS XE CLI to provision selected functions on Cisco devices. ... Cisco said it has released a fixed version of the REST API virtual service container and a hardened IOS XE release that prevents installation or activation of a vulnerable container on a device. If the device was already configured with an active vulnerable container, the IOS XE software upgrade will deactivate the container, making the device not vulnerable.


Machine teaching, LUIS and the democratization of custom AI with Dr. Riham Mansour

The goal of machine teaching and traditional machine learning is to build an accurate model. Same goal, right? So a user who’s using either, would have the goal in mind to build a model, a good model, right? But then, the ‘what’ and ‘how’ is what’s different. So usually to build any model from data you need to have some knowledge that exists somewhere. In machine teaching, it’s about extracting the knowledge from the teacher, so it has the human-in-the-loop providing the necessary knowledge about the domain, so that we can build an AI model specific to that domain. Traditional machine learning is about extracting knowledge from data. So, using the compute power to extract the knowledge from huge amounts of data, and that’s where deep learning and other key words, transferred learning, come into play. So when and why machine teaching can be useful, I would say, in situations where there isn’t enough labeled data already available ...


Achieving a data-centric approach to security requires homomorphic encryption

A data-centric approach to security requires homomorphic encryption image
Real-time homomorphic encryption — the ability to perform mathematical functions on data and get search queries back without decrypting it — is a solution that fosters a data-centric approach to security. With this technology, where ShieldIO is a pioneer, “privileged and non-privileged users can get value from the encrypted data in real-time, without seeing, exposing or decrypting the actual data,” said Jennings. ... Users need to do their job, but it’s important that blockers don’t get in the way, in the name of security. Security needs to be efficient, but it should run in the background and not interfere with users doing their job. “Our job is to make security as easy and secure as possible and not get in the way of people’s jobs,” confirmed Jennings. This can be achieved by enabling; access to encrypted data in-use, development test environments to use real data without exposing live data, real-time speed of query on a fully encrypted dataset and, a simple, fast and transparent data security implementation through standard database drivers.


ServiceNow under Bill McDermott: What you can expect

For ServiceNow to grow significantly acquisitions are likely. ServiceNow's category expansions are notable, but purchases could accelerate those moves. McDermott led a series of SAP acquisitions as it transitioned to the cloud. Wood said: McDermott has the experience, background and network to 1) heavily recruit sales talent to backfill any attrition and put together sales leadership that can run enterprise sales operations at scale (maybe second only to Keith Block in this last regard); and 2) effectively on-board new acquisitions in order to help ServiceNow enter new markets and scale in size (much like SAP, Oracle and Salesforce have done). Sarah Hindlian, an analyst at Macquarie Capital, noted that SAP is a large ServiceNow customer and the companies have grown closer. What if ServiceNow and McDermott wound up back at SAP? Stranger things have happened. ... Hindlian also argued that McDermott is also likely to expand ServiceNow's global profile. ServiceNow doesn't have the global experience yet and McDermott has a global contact list and is used to chasing big multinational companies.


New security alliance wants to build strong defense against cyber-physical attacks on IoT devices


As the Industrial Internet of Things digitizes more and more manufacturing processes, security risks from the IT world are reaching into operational technology as well. Operational technology (OT) includes the hardware and software that manage processes of physical devices such as valves, pumps, sensors, cameras, electronic locks, and thermostats. Until recently, these technologies have not generated data for business use and OT traditionally has not been part of an IT department's responsibilities. OT systems typically have relied on physical security and have ensured high availability at the expense of confidentiality and integrity. As more of these processes and devices are connected to the Internet, that opens up OT systems to cyber attacks.  In a report on the digitization of the oil and gas industry, EY Global found that the convergence of the IT and OT environments has created new cyber-physical risks: "... network connected endpoint devices such as unmanned vehicles, smart sensors, handheld engineer terminals and industrial routing equipment are being produced and deployed without a cybersecurity baseline implementation and are open to remote compromise."


Why Organizations Must Quantify Cyber-Risk in Business Terms

Security leaders can learn from other industries about how to quantify risk in business terms, like financial services, which has been out in front when it comes to managing risk. People don't let banks manage their life savings if they don't understand the risks and guard against losses. Financial services and cybersecurity aren't that dissimilar. Both feature increasingly complex systems and could suffer catastrophic damage in the event of failures that can cascade out into entire industries and geographies. Cyber-risk varies depending on the type of organization affected and the potential harm. Two examples of cyberattacks that pose significant risk have targeted industries that are critical to the functioning of civil society. In 2015 and 2016, Ukraine's power grid was disrupted by nation-state attacks. Just recently, US officials revealed a much less serious cyberattack in March that briefly affected a grid control center and small power generation sites in California, Utah, and Wyoming.



Quote for the day:


"A leader is one who knows the way, goes the way, and shows the way." -- John C. Maxwell


No comments:

Post a Comment