The metaphors of neuroscience – computers, coding, wiring diagrams and so on – are inevitably partial. That is the nature of metaphors, which have been intensely studied by philosophers of science and by scientists, as they seem to be so central to the way scientists think. But metaphors are also rich and allow insight and discovery. There will come a point when the understanding they allow will be outweighed by the limits they impose, but in the case of computational and representational metaphors of the brain, there is no agreement that such a moment has arrived. From a historical point of view, the very fact that this debate is taking place suggests that we may indeed be approaching the end of the computational metaphor. What is not clear, however, is what would replace it. Scientists often get excited when they realise how their views have been shaped by the use of metaphor, and grasp that new analogies could alter how they understand their work, or even enable them to devise new experiments. Coming up with those new metaphors is challenging – most of those used in the past with regard to the brain have been related to new kinds of technology.
To mitigate insider threats, experts suggest that enterprises develop their own risk algorithms by coupling machine learning capabilities with behavioral analytics to understand discrepancies in employee activities. Companies can use human resources data to help create these new algorithms, said Dawn Cappelli, CISO of Rockwell Automation. "The key is having HR data. You can build your risk models by taking the contextual employee data along with their online activity and create risk algorithms." But the real challenge is refining and contextualizing this data in order to correctly identify potential threats, said Solomon Adote, CISO for the state of Delaware. "Data without context might not tell you the full story," Adote said. "It has to be about identifying what is abnormal about a particular activity." Once the data is contextualized, Adote noted, enterprises then can use this information to create alerts, advise employees about their activities and make them aware that the company is aware of what's happening internally. "That's sometimes all you need to prevent a significant catastrophe," Adote said.
Microsoft this week launched an Office app that replaces Word, Excel, and PowerPoint on Android and iOS. Merging three apps into one, while adding more features, is quite the achievement. The new Office app is not just for consuming content and maybe a little light editing on the side, but actually creating content on the go. Most interestingly, a lot of these features fundamentally require AI and machine learning to achieve this new mobile productivity paradigm. Microsoft has been adding AI-driven features to its once most profitable product line for years now — we did a recap of just a handful last year. This week’s Office launch, however, showed Microsoft’s embrace of AI as not merely augmenting what you can already do with the productivity suite, but added new use cases altogether. Most of the new features are not simply traditional desktop features ported to mobile. They are use cases that are better on mobile, or not even possible on desktop. Office lets you take a picture of a document and turn it into a Word file.
In the car insurance sector, insurers use telematics to collect real-time driving data from vehicles. As opposed to the past, where they had to rely on basic information about the vehicle and driver to craft their insurance policies, they can now analyze telematics data with machine learning algorithms to create personalized risk profiles for drivers. Many insurers use this data to give discounts to drivers who have safe driving habits and penalize dangerous behavior such as speeding, hard braking, harsh acceleration, and hard cornering. The same data can help reconstruct accident scenes and enable insurers to better understand and assess what happened, which results in much faster claims processing. In the health insurance sector, service providers use machine learning to help patients choose the best health insurance coverage options to fit their needs. Data collected from wearables such as fitness trackers and heart rate monitors help insurers monitor track and reward healthy habits such as regular exercise, and encourage preventive care by providing healthy nutrition tips.
Over the past ten years, personal medical devices such as insulin pumps, heart and glucose monitors, defibrillators and pacemakers have been connected to the internet as part of the Internet of Medical Things (IoMT). At the same time, researchers have identified a growing number of software vulnerabilities and demonstrated the feasibility of attacks on these products. This can lead to targeted attacks on both individuals and entire product classes. In some cases, the health information generated by the devices can also be intercepted. So far, the healthcare industry has struggled to respond to the problem – especially when the official life of the equipment has expired. As with so many IoT devices of this generation, networking was more important than the need for cybersecurity. The complex task of maintaining and repairing equipment is badly organized, inadequate or completely absent. Through the development of software and hardware platforms, vehicles and transport infrastructure are increasingly connected.
Turner explained, "In our own research we have shown that it is conceivable that the roots of trust pre-installed in all iOS devices can be a very fertile ground for attacking mobile devices in the way that the FTI Consulting report outlined. It is also very convenient that Apple does not allow for third party monitoring of their devices or operating systems, allowing attackers to completely remove any forensic evidence by merely forcing a shutdown of the device, with nearly all evidence destroyed once it is finished rebooting." But, you can't stop some cyberattacks from happening. "Unfortunately, in the case of zero-day exploits like the ones that were probably used in the Bezos case, even the best threat defense tools cannot protect users from that class of attacks. We have worked with several organizations to build programs to protect executives from these types of attacks, but they require resources and operational discipline to be effective," he said. Turner said that anyone without a properly maintained mobile device, meaning security updates installed within three weeks of release, is at risk. First and foremost, get rid of WhatsApp on anyone's phone at your company.
Breaching private companies can create doorways into government networks as the two heavily rely on each other, he notes in an interview with Information Security Media Group. For example, Granicus, one of the largest IT service providers for U.S. federal and local government agencies, recently left a massive Elasticsearch database exposed to the internet. Alexander says private sector organizations need to share anonymized information on cybersecurity issues with the government so that further attacks can be prevented. "In cyber, each company works by itself and shares what is important. But you don't get the whole picture so you don't see what's going on," Alexander says. A "collective defense" approach means the entire cybersecurity community would work together, he explains. The Cybersecurity Information Sharing Act of 2015 provides a legal framework for government agencies and private sector organizations to voluntarily share cybersecurity information and other security data, Alexander points out.
Defense-in-depth is a strategy in which several layers of security control are introduced in an application. Sensitive services get layers of security cover, so a potential attacker who has exploited one of the microservices in the application may not be able to do so to another microservice or other layers of the application. Rather than depending on a single, seemingly robust security measure, use all the security measures at your disposal to create layers of security that potential attackers will have to break through. For instance, even if you already have a strong network perimeter firewall in place, ensure that you still practice strong token-based identification, keep addresses of sensitive microservices private and maintain a strong monitoring layer that diligently identifies unusual behavior. In a typical microservices-based application, it's ideal that service consumers do not communicate with microservices directly.
The entire security team needs to be a learning organization to attract talent and keep up with new threats and new defenses, Michaux said. Developing this attitude will let prospective employees know that they are joining a company that is open to innovation and experimentation, not one that hyper-risk-averse and slow moving. To reinforce this culture, security leaders should think small and act fast and use the cloud to break things, rebuild, and improve. "Security teams have to realize that it's OK to break things as long as you learn something from it and quickly and apply that knowledge productively," said Caleb Queern, a director of KPMG cybersecurity services. CISOs should take an honest look at automation in 2020 as well. Ask what artificial intelligence can handle and what requires human attention. The goal should be to automate at least 50% of the basic controls of the security environment. Finally, security professionals should be able to read and write basic code. This has two benefits: it will earn the respect of DevOps engineers and it will help security pros know when to influence the development process.
Quote for the day:
"Even the demons are encouraged when their chief is "not lost in loss itself." -- John Milton