Daily Tech Digest - December 02, 2020

Establish AI Governance, Not Best Intentions, to Keep Companies Honest

Transparency is necessary to adapt analytic models to rapidly changing environments without introducing bias. The pandemic’s seesawing epidemiologic and economic conditions are a textbook example. Without an auditable, immutable system of record, companies have to either guess or pray that their AI models still perform accurately.  This is of critical importance as, say, credit card holders request credit limit increases to weather unemployment. Lenders want to extend as much additional credit as prudently possible, but to do so, they must feel secure that the models assisting such decisions can still be trusted. Instead of ferreting through emails and directories or hunting down the data scientist who built the model, the bank’s existing staff can quickly consult an immutable system of record that documents all model tests, development decisions and outcomes. They can see what the credit origination model is sensitive to, determine if features are now becoming biased in the COVID environment, and build mitigation strategies based on the model’s audit investigation. Responsibility is a heavy mantle to bear, but our societal climate underscores the need for companies to use AI technology with deep sensitivity to its impact. 

The three stages of security risk reprioritization

As organizations currently undergo planning and budget allocation for 2021, they are looking to invest in more permanent solutions. IT teams are trying to understand how they can best invest in solutions that will ensure a strong security posture. There’s also a greater importance in starting to understand the greater need for complete visibility into the endpoint, even as devices are operating on remote networks. Policies are being created around how much work should actually be done on a VPN and by default creating more forward-looking permanent policies and technology solutions. But as security teams embrace new tools for security and operations to enable continuity efforts, it also generates new attack vectors. COVID-19 has presented the opportunity for the IT community to evaluate what can and can’t be trusted, even when operating under Zero Trust architectures. For example, some of the technologies, like VPN, can undermine what they were designed for. At the beginning of the pandemic, CISA issued a warning around the continued exploitation of specific VPN vulnerabilities. 

Updates To The Open FAIR Body Of Knowledge Part 2

The Open FAIR BoK Update Project Working Group made a deliberate effort to more logically present information in O-RA. In Section 4: Risk Measurement: Modeling and Estimate, the ideas of accuracy and precision are now presented before the concepts of subjectivity and objectivity, and the section ends with the concepts of estimates and calibration. O-RA now also emphasizes having usefully precise estimates; in other words, an estimate is usefully precise if more precision would not improve or change the decision being made with the information. The concept of “Confidence Level in the Most Likely Value” as a parameter to model estimates has been removed from O-RA in bringing it to Version 2.0. Instead, this concept has been replaced by the choice of distribution that best represents what the Open FAIR risk analyst knows about the risk factor being modelled; however, Open FAIR is agnostic on the distribution type used. O-RA Version 2.0 also takes inspiration the Open FAIR™ Risk Analysis Process Guide to better define how to do an Open FAIR risk analysis in Section 5: Risk Analysis Process and Methodology. To do this, O-RA specifies that a risk analyst must first scope the analysis by identifying a Loss Scenario (Stage 1). The Loss Scenario is the story of loss that forms a sentence from the perspective of the Primary Stakeholder.

'Return to Office' Phishing Emails Aim to Steal Credentials

In the phishing campaign uncovered by Abnormal Security, the emails are disguised as an automated internal notification from the company as indicated by the sender's display name. "But the sender's actual address is 'news@newsletterverwaltung.de,' an otherwise unknown party," the research report states. "Further, the IP originates from a blacklisted VPN service that is not consistent with the corporate IP, which indicates the sender is impersonating the automated internal system." The emails, sent to specific employees, contain an HTML attachment that bears the recipient's name, which lures employees into opening it. The email also contains text that makes it seem as if the recipient has received a voicemail, researchers state. By clicking on the attachment, the user is redirected to a SharePoint document with new instructions on the company's remote working policy. "Underneath the new policy, there is text that states 'Proceed with acknowledgement here.' Clicking on this link redirects the user to the attack landing page, which is a form to enter the employee's email credentials," researchers note. Once a recipient falls victim to this trap, the login credentials for their email account are harvested.

CIO interview: John Davidson, First Central Group

“Intelligent automation means so much more for us than an efficiency tool,” says Davidson. “We are building an entirely new technical competency into our business, so that it becomes part of our DNA. This not only changes operational execution but, importantly, changes the management mindset about the art of the possible and strategic decision-making.” The automated renewal process is another area where Blue Prism has been deployed. With the support of Blue Prism’s partner, IT and automation consultancy T-Tech, the First Central team can check for accuracy the issue of more than 3,000 renewal invitations daily in just two hours. The new process verifies each renewal notice, removing the need for costly, time-intensive manual work downstream to correct anomalies and reduce the risk of a regulatory incident. Along with driving operational efficiencies, Davidson believes RPA also boosts business confidence. “Risk mitigation is a lot more intangible, but can measure the cost of distraction and can measure our effectiveness from a robotics perspective,” he says. Davidson’s team has established a robotics capability for the business capability. “It is not my job to close down operational risk,” he says. “That’s the responsibility of the process owner. My team has to deliver technology that closes down the risk.

Q&A on the Book The Power of Virtual Distance

Virtual work gives us many options as to where, when and how to work. And this is highly useful and a positive development. However, as we discovered from the beginning, the trade-offs and unintended consequences are extensive and need to be corrected. When we work mainly through screens, the human contextual markers that guide our cognitive and emotional selves, to know who we can trust and under what circumstances, disappear behind virtual curtains. We have shown conclusively that high Virtual Distance is the statistical equivalent of Distrust, while lower Virtual Distance results in the strong trust bonds we need to build relationship foundations that ultimately result in both better work product as well as higher levels of well-being. Recently a senior executive from a large global company expressed his concern regarding the fact that many leaders do not trust their employees to work virtually. And we’ve found that it’s a two-way street, as many employees don’t trust their leaders to assess or treat them fairly under these conditions. The erosion of trust was highly problematic before Covid19. Now, it’s risen to the level of a “crisis of distrust”. 

Why I'd Take Good IT Hygiene Over Security's Latest Silver Bullet

The most common way to perform lateral movement is to reuse privileges in the assets that attackers have a foothold on, such as secrets and credentials stored on breached machines. Vendors will preach that they can distinguish between legitimate traffic and lateral movements — to even automatically block such illicit activity. They'll use terms like machine learning and AI to make their product sound advanced, but these capabilities are very limited. The product may block well-known malware that performs the exact same sequence in any invocation and hence was "signed" by them — making such products glorified, network-based, signature-matching systems. But because AI and machine learning are based on training, they aren't able to distinguish between legitimate traffic and lateral movement with an accuracy that fully supports runtime prevention. Moreover, no one knows how these applications work in all scenarios. Are you willing to block traffic just because it hasn't been seen before? Or what about an edge case in the app it's never seen? On the other hand, managing lateral movement risk is definitely possible. This can be done by analyzing the secrets and privileges stored and associated with any given asset and determining if they're overly permissive. 

Automation Justification

The human touch is also recommended in code reviews — yes, please use the code grammar checkers and test coverage tools, but getting your code reviewed and reviewing others’ code benefits everyone involved. Sometimes folks worry about the cost of tools and labor to get the process started. Lastly, when starting a larger automation project, do not try to do everything at once. Prioritizing and easing into the automation process makes it simpler and increases the probability it can be done with no loss of functionality. In terms of naysayers, some of the reasons given by humans are “if it ain’t broke, don't fix it,” some don't feel comfortable if they are not in control, sometimes the person does not understand the tools needed, and some folks feel like a computer will replace their job. So what do we do? Show them the metrics that can show improvements, teach them how to use the tools, or just let them know that now that their time is freed up; they can do more meaningful, fun, cool stuff with their time. Alluding back to an earlier slide, here are some metrics that will show your team, your management, and the bean counters some improvement: cost and time savings; test coverage and speedup; customer satisfaction; fewer defects; faster time to release, as well as to recover from issues; and reduced risk.

The vicious cycle of circular dependencies in microservices

In software engineering, modularity refers to the degree to which an application can be divided into independent, interchangeable modules that work together to form a single functioning item that can serve a specific business function. Modularity promotes reusability, better maintenance and manageability and promotes low coupling and high cohesion. Despite the benefits it offers, modular design is still plagued by dependency problems. In a typical microservices architecture, you'll often encounter dependencies among the services and components. Although these services are modeled as isolated, independent units, they still need to communicate for the purpose of data and information exchange. Ideally, a microservices application shouldn't contain circular dependencies. This means that one service should not call another one directly. Instead, those services should operate on event-based triggers. However, reality dictates that most developers will still need to closely link certain parts of an application, and problematic dependencies will persist. A circular dependency is defined as a relationship between two or more application modules that are codependent.

What is cyber insurance? Everything you need to know about what it covers and how it works

Different policy providers might offer coverage of different things, but generally cyber insurance coverage will be likely to cover the immediate costs associated with falling victim to a cyberattack. "Cyber insurance policies are designed to cover the costs of security failures, including data recovery, system forensics, as well as the costs of legal defence and making reparations to customers," says Mark Bagley, VP at cybersecurity company AttackIQ. Underwriting data recovery and system forensics, for example, would help cover some of the cost of investigating and re-mediating a cyberattack by employing forensic cybersecurity professionals to aid in finding out what happened – and fix the issue. This is the sort of standard procedure that follows in the aftermath of a ransomware attack, one of the most damaging and disrupting kinds of incident an organisation can face right now. It is also the case that some cyber insurance companies tcover the cost of actually giving in and paying a ransom – even though that's something that law enforcement and the information security industry doesn't recommend, as it just encourages cyber criminals to commit more attacks.

Quote for the day:

"Leadership is not a position. It is a combination of something you are (character) and some things you do (competence)." -- Ken Melrose

No comments:

Post a Comment