The Importance of IT Security in Your Merger Acquisition
There is no question that cybersecurity risks and threats are growing
exponentially. A report from Cybersecurity Ventures estimated a ransomware
attack on businesses would happen every 11 seconds in 2021. Global ransomware
costs in 2021 would exceed $20 billion. It seems there are constantly new
reports of major ransomware attacks, costing victims millions of dollars.
Earlier this year, the major ransomware attack on Colonial Pipeline resulted in
disruptions that caused fuel shortages all over the East Coast of the United
States. It helped to show that ransomware attacks on critical service companies
can lead to real-world consequences and widespread disruption. This world of
extreme cybersecurity risks serves as the backdrop for business acquisitions and
mergers. A Garner report estimated that 60% of organizations who were involved
in M&A activities consider cybersecurity as a critical factor in the overall
process. In addition, some 73% of businesses surveyed said that a technology
acquisition was the top priority for their M&A activity, and 62% agreed
there was a significant cybersecurity risk by acquiring new companies.
The Language Interpretability Tool (LIT): Interactive Exploration and Analysis of NLP Models
LIT supports local explanations, including salience maps, attention, and rich
visualizations of model predictions, as well as aggregate analysis including
metrics, embedding spaces, and flexible slicing. It allows users to easily hop
between visualizations to test local hypotheses and validate them over a
dataset. LIT provides support for counterfactual generation, in which new data
points can be added on the fly, and their effect on the model visualized
immediately. Side-by-side comparison allows for two models, or two individual
data points, to be visualized simultaneously. More details about LIT can be
found in our system demonstration paper, which was presented at EMNLP 2020.
... In order to better address the broad range of users with different
interests and priorities that we hope will use LIT, we’ve built the tool to be
easily customizable and extensible from the start. Using LIT on a particular
NLP model and dataset only requires writing a small bit of Python
code.
How software development will change in 2022
Local development environments are now largely the only part of the software
development lifecycle time that is done locally on a developer’s computer.
Automated builds, staging environments and running production applications
have largely moved from local computers to the cloud. Microsoft and Amazon
have both been working hard on addressing this challenge. In August this year,
Microsoft released GitHub Codespaces to general availability. GitHub
Codespaces offers full development environments that can be accessed using
just a web browser that can start in seconds. The service allows technology
teams who store their code in Microsoft’s GitHub service to develop using
their Visual Studio Code editor fully in the cloud. Amazon also has its own
solution to this problem, with AWS Cloud9 allowing developers to edit and run
their code from the cloud. Startups have also been created to address this
problem – in April, Gitpod announced it had raised $13m for its solution to
move software development to the cloud.
Microservices — The Letter and the Spirit
Ideally, services don’t interact with each other directly. Instead, they use
some integration service to communicate together. This is commonly achieved
with a service bus. Your goal here is making each service independent from
other services so that each service has all what it needs to start the job and
doesn’t care what happens after it completes this job. In the exceptional
cases when a service calls another service directly, it must handle the
situations when that second service fails. ... Microservices presents us with
an interesting challenge – on the one hand, the services should be decoupled,
yet on the other hand all should be healthy for the solution to perform well
so they must evolve gracefully without breaking the solution. ... There are
multiple ways to do versioning, any convention would do. I like the three
digits semantic versioning 0.0.0 as it is widely understood by most developers
and it is easy to tell what type of changes the service made by just looking
at what digit of the three got updated.
All Roads Lead To OpenVPN: Pwning Industrial Remote Access Clients
OpenVPN was written by James Yonan and is free software, available under the
terms of the GNU General Public License version 2 (GPLv2). As a result, many
different systems support OpenVPN. For example, DD-WRT, a Linux-based firmware
used in wireless routers, includes a server for OpenVPN. Due to its
popularity, ease of use, and features, many companies have chosen OpenVPN as
part of their solution. It’s a feasible option for organizations that want to
create a secure tunnel with a couple of new features. Rather than reinventing
the wheel, the company will most likely use OpenVPN as its foundation. In the
past year, due to the increased popularity and growing remote workforce,
Claroty Team82 was busy researching VPN/remote-access solutions. The
majority of them included OpenVPN as part of the secure remote access solution
while the vendor application is a wrapper that manages the OpenVPN instance.
After inspecting a couple of such products, we identified a key problem with
the way these types of products harness OpenVPN—a problem that, in most cases,
can lead to a remote code execution just by luring a victim to a malicious
website.
More Stealthier Version of BrazKing Android Malware Spotted in the Wild
"It turns out that its developers have been working on making the malware more
agile than before, moving its core overlay mechanism to pull fake overlay
screens from the command-and-control (C2) server in real-time," IBM X-Force
researcher Shahar Tavor noted in a technical deep dive published last week. "The
malware […] allows the attacker to log keystrokes, extract the password, take
over, initiate a transaction, and grab other transaction authorization details
to complete it." The infection routine kicks off with a social engineering
message that includes a link to an HTTPS website that warns prospective victims
about security issues in their devices, while prompting an option to update the
operating system to the latest version. ... BrazKing, like its predecessor,
abuses accessibility permissions to perform overlay attacks on banking apps, but
instead of retrieving a fake screen from a hardcoded URL and present it on top
of the legitimate app, the process is now conducted on the server-side so that
the list of targeted apps can be modified without making changes to the malware
itself.
Common Cloud Misconfigurations Exploited in Minutes, Report
Unit 42 conducted the current cloud-misconfiguration study between July 2021 and
August 2021, deploying 320 honeypots with even distributions of SSH, Samba,
Postgres and RDP across four regions–North America (NA), Asia Pacific (APAC) and
Europe (EU). Their research analyzed the time, frequency and origins of the
attacks observed during that time in the infrastructure. To lure attackers,
researchers intentionally configured a few accounts with weak credentials such
as admin:admin, guest:guest, administrator:password, which granted limited
access to the application in a sandboxed environment. They reset honeypots after
a compromising event—i.e., when a threat actor successfully authenticated via
one of the credentials and gained access to the application. ... The team
analyzed attacks according to a variety of attack patterns, including: the time
attackers took to discover and compromise a new service; the average time
between two consecutive compromising events of a targeted application; the
number of attacker IPs observed on a honeypot; and the number of days an
attacker IP was observed.
Getting real about DEI means getting personal
Leaders also need to know themselves and their own biases. “We learn biases
through the media, family, friends, and educators over time and often don’t
realize that they’re causing harm,” Epler explained. She called out her own
struggles with nonbinary gender pronouns. I can relate. When you grow up in a
Dick-and-Jane world, it isn’t easy to switch pronouns and learn new ones that
conflict with grammatical rules that have become baked into your DNA after
decades of writing. If you aren’t aware of your biases, they are likely to
manifest in microaggressions, if not something worse. “Microaggressions are
everyday slights, insults, and negative verbal and nonverbal communications
that, whether intentional or not, can make someone feel belittled, disrespected,
unheard, unsafe, other, tokenized, gaslighted, impeded, and/or like they don’t
belong,” writes Epler in her book. When leaders witness microaggressions, they
must defend the people subjected to them.
IT hiring: 5 ways to attract talent amidst the Great Resignation
By now, perhaps your organization has its remote work environment down to a
science. Ask yourself what resources you can promote to potential new hires that
will instill confidence in their decision to move forward with your company.
Especially for recent graduates just entering the workforce, a commitment to
help them transition and build success from the start can help move the needle
in your organization’s favor. Earlier this year, for example, social media
software company Buffer found success by offering new hires $500 to set up their
home office. According to one employee engagement
blog, Buffer also
offers its employees coworking space stipends and internet reimbursement. To
increase engagement and productivity, consider what portion of your resources
you can allocate to designing a premium onboarding experience for new hires. A
strong career growth curve is a must-have for recent grads. Making your career
advancement initiatives clear in the early stages of the recruiting process is a
win-win for organizations and employees alike.
Report: China to Target Encrypted Data as Quantum Advances
The Booz Allen Hamilton researchers note that since approximately 2016, China
has emerged as a major quantum-computing research and development center, backed
by substantial policy support at the highest levels of its government. Still,
the country's quantum experts have suggested that they remain behind the U.S. in
several quantum categories - though China hopes to surpass the U.S. by the
mid-2020s. While experts say this is unlikely, China may surpass Western nations
in early use cases, the report states. Advancements in quantum simulations, the
researchers contend, may expedite the discovery of new drugs, high-performance
materials and fertilizers, among other key products. These are areas that align
with the country's strategic economic plan, which historically parallels its
economic espionage efforts. "In the 2020s, Chinese economic espionage will
likely increasingly steal data that could be used to feed quantum simulations,"
researchers say, though they claim it is unlikely that Chinese computer
scientists will be able to break current-generation encryption before
2030.
Otomi: OSS Developer Self-Service for Kubernetes
The ultimate goal of developer self-service is to have less friction in the
development process and ensure that developers can deliver customer value
faster. This can be achieved by enabling the separation of concerns for both
dev and ops teams. The ops team manages the stack and enforces governance and
compliance to security policies and best practices. Dev teams can create new
environments on-demand, create and expose services using best practices, use
ready-made templatized options, and get direct access to all the tools they
need for visibility. Think of it as paving the road towards fast delivery and
minimizing risks by providing safeguards and standards. Developers can do what
they need to do and do it when they like to. And yes, sometimes not always how
they would like to do it. The only challenge here is, building a platform like
this takes a lot of time and not all organizations have the resources to do
so. The goal behind the Otomi open-source project was to offer a single
deployable package that offers all of this out-of-the-box.
Quote for the day:
"Leaders who won't own failures become failures." --
Orrin Woodward
No comments:
Post a Comment