Each asset vulnerability is assigned a CVSS score that describes the technical risk. This score is a common, neutral framework based on the ease of exploitation and potential impact on confidentiality, integrity and availability. But CVSS scores alone don’t consider the asset’s value to the business. You should also ask the following three questions: 1. Is the asset the most important server in the organization (i.e., where critical data is stored)?; 2. Is it an application that processes business transactions (e.g., e-commerce)? Business criticality is a factor that must be considered and weighed in determining whether to prioritize the asset; 3. What is the threat level associated with the vulnerability? This is based on assessing activity by hackers around the vulnerability. Solution providers monitor this activity to provide threat intelligence data feeds to mature security organizations. All three factors need to be put together and correlated into a cyber risk score for the asset. A score like this allows the security teams to apply data-driven judgment to their prioritization and remediation of vulnerabilities found.
Nick Heudecker, Former VP of Data and Analytics at Gartner, claims “CIOs are at a strange crossroads with data today. They are both competing and collaborating with CDOs that may be taking their budget and staff, but they’re still ultimately responsible for data infrastructure.” Some, says Microsoft Security Architect Wayne Anderson, believe, unfortunately, that the CDO is a yellow flag to the CIO to look at their role in the organization.” Without questions, CIOs need to make IT a better partner. To do this, they need to connect with the business. They need to make data transformative happen and need to become a data champion. Former CIO Joanna Young argues for data to win there needs to be collaboration between technology functions. She says, however, “I have yet to see an organization with CIO, CTO, and CDO where the sum is greater than the parts, as roles and responsibilities get murky how can they be effective?” With this said, IT typically does not own the corporation’s data. For this reason, Sacolick says, “a key responsibility of the CIO and/or CDO is defining owners and educating them on their responsibilities especially for data quality.
AI-powered cyberattacks are conventional cyberattacks augmented with AI and machine learning technologies. Take phishing, for example — a type of social engineering where an attacker sends a message designed to trick a human into revealing sensitive information or installing malware. Infused with AI, phishing messages can be personalized to target high-profile employees at enterprises (like members of the C-suite) in a practice known as “spear phishing.” Imagine an adversarial group attempting to impersonate board members or send fake invoices claiming to come from familiar suppliers. Sourcing a machine learning language model capable of generating convincing-sounding emails, the group could fine-tune a system to generate replies that adopt the tone and tenor of the impersonated sender and even make references to previous correspondences. That might sound far-fetched — but there’s already growing concern among academics that tools like GPT-3 could be co-opted to foment discord by spreading misinformation, disinformation, and outright lies. Phishing emails need not be highly targeted to present a threat to organizations.
There are also multiple other security flaws in the same web-management interface. For instance, the bug tracked as CVE-2021-1541 is an arbitrary code-execution vulnerability that would allow an authenticated, remote attacker to execute arbitrary commands as a root user on the underlying operating system. “This vulnerability is due to a lack of parameter validation for TFTP configuration parameters,” according to Cisco. “An attacker could exploit this vulnerability by entering crafted input for specific TFTP configuration parameters. A successful exploit could allow the attacker to execute arbitrary commands as a root user on the underlying operating system.” The attacker must have valid administrative credentials on the device in order to exploit the issue, so the CVSS score comes in at 7.2 rather than critical. The issue tracked as CVE-2021-1543, meanwhile, allows cross-site scripting from an unauthenticated, remote attacker (CVSS score: 6.1). “This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected device,” according to Cisco. “An attacker could exploit this vulnerability by persuading a user to click a malicious link and access a specific page. ...”
By design, containers work best with stateless applications. Kubernetes is able to create and remove containers in a rapid and dynamic manner because the applications within those containers come packaged with all of the dependencies they need to run. Regardless of where a new container is spun up — the same cluster or a different cloud provider — Kubernetes ensures that the application has access to the fundamental resources it needs to operate. The dynamic creation and deletion of containers doesn’t work well for applications that need to persistently store data. As a stateful, containerized application is created or destroyed across a Kubernetes cluster, it must always know where its data is, have a high degree of access to that data and be able to ensure its integrity. This isn’t possible if an application’s stored state is destroyed every time its container is spun down. Developers and platform managers want the best of both worlds: They want the fast failover, easy deployment and the efficiency of containers with the persistence of stateful workloads.
“It took us 40 years in math to make sense of four pages,” said Vincent Vargas, a mathematician at the French National Center for Scientific Research and co-author of the research with Rémi Rhodes of Aix-Marseille University, Antti Kupiainen of the University of Helsinki, François David of the French National Center for Scientific Research, and Colin Guillarmou of Paris-Saclay University. ... “Quantum gravity basically means random geometry, because quantum means random and gravity means geometry,” said Sun. Polyakov’s first step in exploring the world of random surfaces was to write down an expression defining the odds of finding a particular spiky planet, much as the bell curve defines the odds of meeting someone of a particular height. But his formula did not lead to useful numerical predictions. To solve a quantum field theory is to be able to use the field to predict observations. In practice, this means calculating a field’s “correlation functions,” which capture the field’s behavior by describing the extent to which a measurement of the field at one point relates, or correlates, to a measurement at another point. Calculating correlation functions in the photon field, for instance, can give you the textbook laws of quantum electromagnetism.
DevSecOps adds security into DevOps, further refining the concept to address code quality, security, and reliability assurance through automation, enabling continuous security and compliance. Organizations seeking to comply with Sarbanes Oxley (SOX), Payment Card Industry Data Security Standard (PCI DSS), FedRAMP, and similar programs are candidates for implementing DevSecOps. ... The more you move security mitigation to the left to tackle these issues in development, the more money you save. You also avoid potential negative headlines because your teams don't have to respond to issues in production, where remediation costs can soar way higher than if you caught them in your development environment. You can treat the move from DevOps to DevSecOps as another step in the DevOps journey. ... Even if you treat DevSecOps as another step in your DevOps journey, you can expect changes to your toolchain, roles on your DevOps and security teams, and how your groups interact. Over 60% of the respondents to GitLab's 2021 Global DevSecOps Survey report new roles and responsibilities because of DevOps, so prepare your people upfront and keep surprises to a minimum.
We’ve discussed personal branding extensively on this blog. And you can think of thought leadership as an extension of your personal brand — it can even become a goal in your branding and content marketing strategy. But what is it? Thought leadership taps into your industry expertise, your passion, and your talent, all to connect you with your audience. A thought leader produces valuable content that not only addresses the pain points of his/her audience but also delivers key insights and advice on industry trends that aren’t available elsewhere. One of the most advantageous benefits of thought leadership is that it is accessible to anyone. It doesn’t matter your background or degrees. If you have knowledge and expertise, you can become a thought leader! But there’s one caveat. While you can become a thought leader, it is not something that you can force. You can’t just label yourself as a “thought leader” and expect everyone to get the memo. This title has to be earned through great content, proven ability, and visibility.
How these new blocks are created is key to why blockchain is considered highly secure. A majority of nodes must verify and confirm the legitimacy of the new data before a new block can be added to the ledger. For a cryptocurrency, they might involve ensuring that new transactions in a block were not fraudulent, or that coins had not been spent more than once. This is different from a standalone database or spreadsheet, where one person can make changes without oversight. “Once there is consensus, the block is added to the chain and the underlying transactions are recorded in the distributed ledger,” says C. Neil Gray, partner in the fintech practice areas at Duane Morris LLP. “Blocks are securely linked together, forming a secure digital chain from the beginning of the ledger to the present.” ... “As a reward for their efforts in validating changes to the shared data, nodes are typically rewarded with new amounts of the blockchain’s native currency—e.g., new bitcoin on the bitcoin blockchain,” says Sarah Shtylman, fintech and blockchain counsel with Perkins Coie.
If you have ever visited a software shop where they turn out great products, you will have noticed the enthusiasm of the people for their work. You will also have noticed that these skilled people are given a working atmosphere that is conducive to their work. They feel safe to argue if they think they have a better answer; they are valued by their organisation, they are given an appropriate amount of time to do their tasks This is workplace culture. For the last two years, we, along with our partners in The Atlantic Systems Guild, have been writing a book on workplace culture. It is not the intention of this article to sell you a book (of course we would be delighted if you buy it) but to demonstrate some findings from our work. To have a useful view of culture, we identified six drivers of workplace culture. It is worth having a quick look at these drivers, because even a superficial glance will show you areas that you might work on to improve your own workplace culture, and thereby performance of the workplace.
Quote for the day:
"To do great things is difficult; but to command great things is more difficult." -- Friedrich Nietzsche