Daily Tech Digest - August 19, 2021

XSS Bug in SEOPress WordPress Plugin Allows Site Takeover

“The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request,” according to the posting. “A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action.” Depending on what an attacker updates the title and description to, it would allow a number of malicious actions, up to and including full site takeover, researchers said. “The payload could include malicious web scripts, like JavaScript, due to a lack of sanitization or escaping on the stored parameters,” they wrote. “These web scripts would then execute any time a user accessed the ‘All Posts’ page. As always, cross-site scripting vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects and more. This vulnerability could easily be used by an attacker to take over a WordPress site.” To protect their websites, users should upgrade to version 5.0.4 of SEOPress. Vulnerabilities in WordPress plugins remain fairly common. 

How building a world class SOC can alleviate security team burnout

In the short term, this alert overload means an increased potential for high-risk threats being missed as analysts attempt to slog through as many alerts as possible alongside their other duties. Aside from the immediate security issues, this kind of environment poses some serious long-term problems. The frustrations of burnt-out teams can build to the point where analysts will decide to quit their job in search of less stressful positions. We have found that around half of security personnel are considering changing roles at any given time. Not only will they be taking their experience and skills with them, but the ongoing cyber shortage means finding a replacement may be a long and costly process. A team that spends most of its time trudging through alerts and running to put out security fires will also have very little time left for any higher-level strategic activity. This might include undertaking in-depth risk analysis and establishing improved security strategies and processes. Without this activity, the organization will struggle to keep up with evolving cyber threats.

Security through obscurity no longer works

You might expect that companies would be better off keeping their cards close to their chest. The less hackers know about how a company guards its data, the safer the data becomes, according to this line of thinking. In fact, the opposite is true. Secrecy in cyber security puts everyone at risk: the company, its customers, and its suppliers. Electric vehicles serve as a good example of the value of openness in cyber security. Many models require extremely sophisticated software that has to be updated frequently. For example, Tesla distributes updates to owners at least once per month. To deliver updates, an electric car maker requires worldwide access privileges to the on-board computers on its cars. Naturally, car owners want certainty that this does not expose them to hacking, remote carjackings and shut downs, or being spied on as they drive. For this reason, makers of electric vehicles need to be extremely open about their cyber security so that owners, or trusted experts, can assess if the company’s systems offer effective protection. Although they do not themselves manage data, telecom equipment makers take their responsibility in supplying network operators just as seriously as makers of electric cars.

Container Best Practices: What They Are and Why You Should Care

One of the common pitfalls organizations make is to succumb in practice to the misperception that minification of containers IS container best practices. Without a doubt, an outsized amount of time and energy is spent thinking about reducing the size of a container image (minification), and with good reason. Smaller images are safer; faster to push, pull, and scan; and just generally less cumbersome in the development lifecycle. That’s why “shrinking a container” has become a common subject for blog posts, video tutorials and Twitter posts. It’s also why the DockerSlim open source project, created and maintained by Kyle Quest, is so popular. It is best known for its ability to automatically create a functionally equivalent but smaller container. Another common tactic for container minification could be described as “The Tale of Two Containers.” In this approach, developers first create a “dev container” comprising all the tools they love to use for development. Then, once development is complete, developers convert their “dev containers” to “prod containers,” typically by replacing the “heavy” underlying base image with something lighter and more secure.

What is Today´s Relevance of an Enterprise Architecture Practice?

It seems that, especially in modern tech companies, the importance of the Enterprise Architecture (EA) practice is decreasing. Some organizations might even consider it an irrelevant practice. In the following, we analyze where such opinions emerge from. In the later parts of this series, we will provide arguments against that reasoning and provide an analysis, which underpins that this is not the end of Enterprise Architecture as a practice. However, Enterprise Architecture will go through a transformation towards an adapted set of activities, new priorities, and new required skills. ... Apart from the arguments above, there is an additional observation, which is common across many different organizations: The more old-world / legacy IT an organization has, the more important the Enterprise Architects in the organization are. Similarly, in organizations with old and new world IT, Enterprise Architects are responsible for managing the architecture of the old world. However, they have only little influence on the development of the new world IT; the digital area. 

How computer vision works — and why it’s plagued by bias

Like machine learning overall, computer vision dates back to the 1950s. Without our current computing power and data access, the technique was originally very manual and prone to error. But it did still resemble computer vision as we know it today; the effectiveness of first processing according to basic properties like lines or edges, for example, was discovered in 1959. That same year also saw the invention of a technology that made it possible to transform images into grids of numbers , which incorporated the binary language machines could understand into images. Throughout the next few decades, more technical breakthroughs helped pave the way for computer vision. First, there was the development of computer scanning technology, which for the first time enabled computers to digitize images. Then came the ability to turn two-dimensional images into three-dimensional forms. Object recognition technology that could recognize text arrived in 1974, and by 1982, computer vision really started to take shape. In that same year, one researcher further developed the processing hierarchy, just as another developed an early neural network.

John Oliver on ransomware attacks: ‘It’s in everyone’s interest to get this under control’

Most ominously, ransomware attacks now threaten numerous internet-connected, “smart” in-home devices, such as thermostats, TVs, ovens or even internet-enabled sex toys, such as a butt plug. Which prompted Oliver to remind his audience “arseholes are like opinions – letting the internet be in charge of yours is a really bad idea”. Oliver was legally obligated to say that the butt plug comes with a physical key for emergencies, “which I’m not sure is completely reassuring – keys do get lost, don’t they? Just picture the last time you searched for keys around your house and now raise the stakes significantly.” The point, he continued, was that the costs of ransomware keep raising, as the barrier to entry keeps lowering. The explosion in attacks derives from three main factors. First, ransomware as a service, as in hacking programs sold a la carte, precluding technical know-how. “Ideally, no one would launch ransomware attacks,” said Oliver, “but my next preference would be that launching one should require significantly more work than simply clicking ‘add ransomware to cart.’”

IoT could drive adoption of near-premises computing

Strategically, it's not a major leap to consider near-premises data centers that are hybrid, on premises or cloud-based. However, there are always issues such as figuring out how to redeploy when you have budget constraints and also existing resources that must stay working, CIOs and infrastructure architects must also find time to reconstruct IT infrastructure for near-premises computing. Crawford said that enterprises adopting near-premises computing can reduce their compute and storage infrastructure TCO by 30% to 50% and eliminate most or all of the capital costs they would typically need to spend on the data center itself; and that these gains can be further compounded by turning capital expenses into operating expenses through new scalable service models. If CIOs can demonstrate these gains in the cost models that they prepare for IT budgets, near-premises computing may indeed become a new implementation strategy at the edge. Don't overlook the resilience that near-premises computing brings. "The performance of near-premises computing rivals that of on-premises computing but also has the capability to add significantly more resilience," Crawford said.

Enterprise Architecture for Digital Business: Integrated Transformation Strategies

In order to move forward with the DT journeys in this new horizon of post-pandemic era, practitioners must consider a broader perspective of EA. They must review the impacts as well as synergies of innovation, disruption, and collaboration with their transformation initiatives. An innovation is not just a new way of developing and deploying business solutions – it is also to deliver tangible business outcomes to customers proactively and consistently. Disruption often leverages innovation to accentuate the changes in a business using emerging technology trends. Collaboration harnesses the power of innovation and disruption to enable practitioners work together and achieve quantifiable business results. It is evident that in this near-post-pandemic era, a new horizon of the business world is evolving. The practitioners must endure rapid changes through the use of digital transformation while leveraging a nimble, flexible, and agile enterprise architecture framework that embraces the essence of innovation, disruption, and collaboration efficiently.

What it means to be a Human leader

Listening should be an everyday task. Leaders discover what is on their staff’s mind only by listening, whether that is a set-piece exercise or on an ongoing basis. Charlie Jacobs, the senior partner at London-based law firm Linklaters since 2016, tries to do this by putting himself in places where he can have informal conversations. Back when business travel was commonplace, whenever he arrived in one of Linklaters’ 30 offices around the world, he headed to the gym, not the boardroom, to find out what was going on. Jacobs was no fan of after-hours drinks and preferred a pre-work spinning class that allowed him to mingle with colleagues from all levels while working up a sweat. “I get a different cross-section of people coming, we get a shake or a fruit juice afterwards, and they can see a more down-to-earth side to the senior partner,” he told me. ... Human leaders are focused on making the best use of their time and keeping organizations focused on their mission. They act as executive sponsors to pluck ideas from within their organization and ensure that promising projects make headway.

Quote for the day:

"Inspired leaders move a business beyond problems into opportunities." -- Dr. Abraham Zaleznik

No comments:

Post a Comment