Daily Tech Digest - May 14, 2021

Thoughts on Cloud Security

With good security professionals in high demand, companies are better off investing in their security professionals that show an interest in “cloud”; in order to take their security organization to the next level. Solid training and support, will enable them to better collaborate with development teams and significantly raise the “security” bar of their cloud environment. There are plenty of free resources available today, such as cloud security standards and open source solutions, that can be leveraged. The Center for Internet Security (CIS) controls and/or AWS’ Well-Architected Framework are great resources to help get started. As a reformed cloud security professional, I can say that embracing the cloud takes a shift in mindset. In general, security teams need to stop saying “no” and getting in the way of innovation. Instead, they need to be able to provide development teams the access they need — when they need it, and put guardrails in place to ensure security. To be successful, it is key to do this in a way that it does not have a significant impact in the development experience. 

85% of Data Breaches Involve Human Interaction: Verizon DBIR

"Credentials are the skeleton key," Bassett says. Most know stolen credentials are a problem, but what they may not think about is how they spread across attack patterns and enable the start of many different types of data breaches, from phishing campaigns, to stealing the contents of a target mailbox, to a ransomware campaign in which an attacker encrypts then steals data. The trend toward simplicity is evident in the continued increase of business email compromise (BEC), which followed phishing as the second most common form of social engineering, reflecting a 15x spike in "misrepresentation," a type of integrity breach. BEC doubled last year and again this year. Of the 58% of BEC attacks that successfully stole money, the median loss was $30,000, with 95% of BECs costing between $250 and $984,855, researchers learned. Of the breaches analyzed, 85% had a human element. This is a broad term that encompasses any attack that involves a social action: phishing, BEC, lost or stolen credentials, using insecure credentials, human error, misuse, and even malware that has to be clicked then downloaded.

Hybrid working: creating a sustainable model

The evolution of thinking around the workplace we’ve seen in such a short space of time is quite something. Over the course of the last year, business mindsets have shifted from complete allegiance to the physical office, to fully embracing remote working to survive, to a realisation that a hybrid working model may well be the best way for businesses to thrive. Now, as we begin to move out of the pandemic, IT and business leaders should be considering what their workplace strategy looks like in the long term. What can we learn from the last 12 months? What are the tools, technologies and processes we should keep in place? How do we facilitate a reimagined office space? How do we empower employees to be productive and happy wherever they are? There’s no doubt that hybrid working opens up huge opportunity for businesses, from creating a flexible working environment that appeals to a broad range of talent to enabling more efficient ways of working and a healthier work-life balance. But how do we create a hybrid model that is sustainable in the long term?

The Global Artificial Intelligence Race and Strategic Balance

Countries are under pressure to protect their citizens and even political stability in the face of possible malicious/biased uses of AI and Big Data. Because 5G networks are the future backbone of our increasingly digitised economies and societies, ensuring its security and resilience is essential. Even at current capability levels, AI can be used in the cyber domain to augment attacks on cyberinfrastructure. There is no such thing as perfect security, only varying levels of insecurity. These ‘smart’ technologies rely on bidirectional wireless links to communicate with devices and global services, which gives a larger ‘attack surface’ that cyber threats target. Thus, 5G networks may lead to politically divided and potentially noninteroperable technology spheres of influence, where one sphere would be led by the US and another by China, with some others in between (for example the EU, South Korea and Japan).All of these concerns are most significant in the context of authoritarian states but may also undermine the ability of democracies to sustain truthful public debates. For example, ‘deepfake’ algorithms can create fake images and videos that cannot easily be distinguished from authentic ones by humans. It is threatening to global security if deepfake methods are employed to promulgate misinformation.

5 developer tools for detecting and fixing security vulnerabilities

Dependabot - now a native Github solution - has a simple straightforward workflow: automatically open Pull Requests for new dependency versions, and alert on vulnerable dependencies. Dependabot will also clearly differentiate between security-related PR and normal dependency upgrades by tagging [Security] in the title and label, along with including a changelog of the vulnerabilities fixed. ... Similar to Dependabot, Renovate is a GitHub or CLI app that monitors your dependencies and opens Pull Requests when new ones are available. While it supports fewer languages than Dependabot, the main advantage of Renovate is that it's extremely configurable. Ever wished you could write "schedule": "on the first day of the week" in your configs!? Well, Renovate allows you to do that! It also provides fine-grained control of auto-merging dependencies based on rules set in the config. ... Synk is a new one for me, but I really like that it's a product built with developers in mind, regardless of their previous experience with security. While Snyk is a paid product for business+, their free tier covers open-source, personal projects, and small teams, making it a great resource for personal projects and learning, even if you don't have the opportunity to use it on the job!

Adding Security to Testing to Enable Continuous Security Testing

Security testing is a variant of software testing which ensures that the system and applications in an organization are free from any loopholes that may cause a big loss, Thalayasingam said. Security testing of any system is about finding all possible loopholes and weaknesses of the system which might result in a loss of information at the hands of the employees or outsiders of the organization. To kick off security testing, security experts should train quality engineers about security and how to do manual security testing. Next, quality engineers can work with security experts to narrow down the tests for security testing and add value to existing test cases. This will lead to executing the security tests in sprint level activities, automating them, and making them part of continuous integration. Quality engineers should add the security checks to their test process for each story, Thalayasingam suggested. This would help to find the obvious security vulnerabilities and a very early stay. The right guidance and training will help quality engineers to gain the security testing mindset.

Building AI Leadership Brain Trust Is A Business Imperative: Are You Ready?

There are sufficient markers painting this stark prediction if one chooses to dig deeper. Did you know that over half of technology executives in the 2019 Gartner CIO Survey say they intend to employ AI before the end of 2020, up from 14% today? Board directors and CEO have to accelerate their investments in AI, and ensure they are managing the journey wisely with the right AI leadership skills in place and Machine Learning toolkits required to advance AI with sustainability enablements to modernize your business.. In a recent report by NewVantage Partners, 75% of companies cited fear of disruption from data-driven digital competitors as the top reason they’re investing. There are many questions that board directors and CEOs must ask in the face of any large investment consideration, and AI is not inexpensive. On average an AI project can range from as low as $30K to $1 million plus for a MVP, depending on the complexity of the data set, use case being solved to build a baseline AI model to predict an accurate outcome.

Maximizing a hybrid cloud approach with colocation

Companies are increasingly deploying a hybrid cloud approach to balance the benefits and challenges presented by both the public and private cloud. With the hybrid cloud, both types of cloud environments are integrated, allowing data to move seamlessly between platforms. This hybrid architecture can be designed as a bifurcated system in which the private cloud hosts a company’s sensitive data and mission critical components, and the public cloud hosts the rest. With this type of architecture, the data and applications live permanently in their assigned cloud environment, but the two systems are able to communicate seamlessly. Another option – the cloud bursting model – houses all of a company’s information in the private cloud, but when spikes in demand occur the public cloud provides supplementary capacity. Both hybrid approaches give companies greater control over and access to their IT environments and the ability to implement more stringent security protocols on the private cloud portion of their deployment. In addition, a hybrid approach gives organizations flexibility to build a solution that meets their current needs, but that can also evolve as their needs change.

Fake Android, iOS apps promise lucrative investments while stealing your money

The operators have created dedicated websites linked to each individual app, tailored to appear as the impersonated organizations in an effort to improve the apparent legitimacy of the software -- and the likelihood of a scam being successful. Sophos' investigation into the apps began with a report of a single malicious app masquerading as a trading company based in Asia, Goldenway Group. The victim, in this case, was targeted through social media and a dating website and lured to download the fake app. Rather than relying on mass spam emails or phishing, attackers may now also take a more personal approach and try to forge a relationship with their victim, such as by pretending to be a friend or a potential love match. Once trust is established, they will then offer some form of time-sensitive financial opportunity and may also promise guaranteed returns and excellent profits. However, once a victim downloads a malicious app or visits a fake website and provides their details, they are lured into opening an account or cryptocurrency wallet and transferring funds. 

When AI Becomes the Hacker

The core question Schneier asks is this: What if artificial intelligence systems could hack social, economic, and political systems at the computer scale, speed, and range such that humans couldn't detect it in time and suffered the consequences? It's where AIs evolve into "the creative process of finding hacks." "They're already doing that in software, finding vulnerabilities in computer code. They're not that good at it, but eventually they will get better [while] humans stay the same" in their vulnerability discovery capabilities, he says. In less than a decade from now, Schneier predicts, AIs will be able to "beat" humans in capture-the-flag hacking contests, pointing to the DEFCON contest in 2016 when an AI-only team called Mayhem came in dead last against all-human teams. That's because AI technology will evolve and surpass human capability. Schneier says it's not so much AIs "breaking into" systems, but AIs creating their own solutions. "AI comes up with a hack and a vulnerability, and then humans look at it and say, 'That's good,'" and use it as a way to make money, like with hedge funds in the financial sector, he says.

Quote for the day:

"Effective team leaders realize they neither know all the answers, nor can they succeed without the other members of the team." -- Katzenbach & Smith

No comments:

Post a Comment