The Rise of the Technical CEO
Today’s environment is a unique one for leaders. Businesses cannot afford for
leadership to be focused on just one part of the business—the world is too
interconnected and moves too quickly. Which is why we’ve moved onto the era of
technologists as CEOs. Every company is a technology company in today’s
digital-first world. Industries are constantly being disrupted by the next big
thing, which means businesses need modern CEOs that are equally comfortable
managing the business as they are with technology. As so many organizations look
to navigate digital transformation journeys, having a leader at the helm who
understands the importance not just of having technology, but having the right
technology, is critical. Technology is a strategic advantage for today’s
organizations. Without a leader who can make those nuanced decisions, it’s
impossible to create solutions that will be useful for customers. And customers
must always be at the center of any CEO’s decisions. Rocket’s solutions touch
the lives of so many every day – from withdrawing money from an ATM to swiping
your credit card at a convenience store, our technology is critical to ensuring
the lives of millions run smoothly.
IT spending trends point to CIO innovation
Forward thinking, meanwhile, will spark an increase in long-term contracts that
accommodate three-to-five-year planning horizons. Inflation and the war for
talent also encourage extended contract periods, Lovelock noted. Longer-term
deals offer CIOs greater certainty regarding cost and the availability of
technical skills, he said. The skill shortage will also generate demand for
external service providers such as consultants and MSPs. The Gartner forecast
shows IT services growing to 7.9% year over year in 2022, hitting $1.3 trillion.
The market watcher expects IT services' spending growth to trail only enterprise
software, which tops the Gartner forecast with a projected 11% year-over-year
increase. Business and technology consulting services will emerge as one of the
fastest-growing sectors in IT services, growing at a 10% clip in 2022, Lovelock
said. Cloud adoption will help drive that spurt. Gartner research suggests the
vast majority of large organizations will hire external consultants to devise
cloud strategies over the next few years.
ICO criticises government-backed campaign to delay end-to-end encryption
The privacy watchdog said end-to-end encryption plays an important role in
safeguarding privacy and online safety, protecting children from abusers, and is
crucial for business services. The intervention follows the launch of a
government-funded campaign this week that warns that social media companies are
“blinding themselves” to child sexual abuse by introducing end-to-end encrypted
messaging services. Stephen Bonner, the ICO’s executive director of innovation,
said the discussion on end-to-end encryption had become too unbalanced, with too
much focus on the costs, without weighing up the significant benefits it offers.
“E2EE serves an important role both in safeguarding our privacy and online
safety,” he said. “It strengthens children’s online safety by not allowing
criminals and abusers to send them harmful content. “It is also crucial for
businesses, enabling them to share information securely and fosters consumer
confidence in digital services.”
Looking Beyond Biden's Binding Security Directive
What is truly alarming, however, is how far behind many public and private
organizations are with their patch management procedures. We frequently find
known vulnerabilities in our customers' business-critical applications that
are several years old and still unpatched. This directive looks to change
that, ensuring agencies and their third-party vendors develop plans to find
and remediate these known vulnerabilities. Multiple studies demonstrate that
detecting vulnerabilities and prioritizing the right patches quickly and
efficiently are the largest challenges. By establishing a prioritized catalog
of vulnerabilities, the directive seeks to give federal agencies a leg up. The
onus on establishing a plan and process for remediation, however, still
remains with the individual federal agencies. Nevertheless, we're glad to see
the Biden administration take this critical step forward in improving the
cybersecurity posture of the United States and, by extension, the companies
that provide services to the federal government.
After ransomware arrests, some dark web criminals are getting worried
There's a consensus among cybersecurity experts that many of the major
ransomware operations work out of Russia, with the authorities willing to turn
a blind eye towards attacks targeting the West. But following arrests
throughout the region, some cyber criminals are wondering if the risk is worth
it. "This is a big change. I have no desire to go to jail," wrote one forum
member. "In fact, one thing is clear, those who expect that the state would
protect them will be greatly disappointed," said another. There's even concern
that administrators of the dark web communities – who would have details about
their users – could be coerced into working for law enforcement following
arrest. Such is the paranoia among some forum members and ransomware
affiliates that they suggest moving operations to a different jurisdiction,
although this is unlikely to be a realistic option for many. "Those that are
seasoned in cybercrime understand that by moving outside of Russia, they'll be
taking on an even greater risk of being arrested by international law
enforcement agencies. These agencies that are keeping tabs on cyber criminals
will be watching for such potential moves," Ziv Mador.
The internet runs on free open-source software. Who pays to fix it?
“Tech companies, enterprises, anyone writing software is dependent on
open-source,” says Wysopal. “Now there is a recognition at the highest levels
of government that this is a big risk.” Easterly and other experts say
that tech companies need to improve transparency. Adopting a Software Bill of
Materials, as mandated by a 2021 executive order on cybersecurity from
President Joe Biden, would help both developers and users better understand
what is actually vulnerable to hacking when software flaws are discovered.
Valsorda, who has managed to turn his own open-source work into a high-profile
career, says that formalizing and professionalizing the relationship between
developers and the big companies using their work could help. He advocates
turning open-source work from a hobbyist pursuit into a professional career
path so that critical infrastructure isn’t dependent on the spare time of a
developer who already has a full-time job. And he argues that companies should
develop systems to pay the people who maintain open-source projects their fair
market value.
The Prometheus traffic direction system is a major player in malware distribution
The goal of such traffic direction systems is to redirect legitimate web users
to malware, phishing pages, tech support scams, or other malicious operations.
This is achieved by placing malicious scripts on compromised websites that
intercept traffic or through malicious advertisements that are served to users
on legitimate websites through ad networks. The main benefit of a TDS is that
it allows cybercriminals to define redirection rules from an administration
panel based on the type of visitors hitting the system's web of malicious
landing pages. On compromised websites, Prometheus achieves this through a
simple PHP backdoor script that fingerprints visitors -- browser, OS,
timezone, language settings -- and sends the information back to a
command-and-control server from where it pulls redirect instructions defined
by attackers. This means that different categories of visitors can be
redirected to different campaigns depending on the target audience the
different groups renting TDS services want to reach and victims can also end
up seeing localized scams in their language.
Google finds a nation-state level of attacks on iPhone
The company behind the software used in these attacks, NSO, reportedly uses a
fake GIF trick to target a vulnerability in the CoreGraphics PDF parser. The
files have a .gif extension, but they are not GIF image files. The name is
solely designed to keep a user from getting worried. “The ImageIO library is
used to guess the correct format of the source file and parse it, completely
ignoring the file extension. Using this fake gif trick, more than 20 image
codecs are suddenly part of the iMessage zero-click attack surface, including
some very obscure and complex formats, remotely exposing probably hundreds of
thousands of lines of code.” As Google noted, these attacks are difficult to
thwart. Blocking all GIF images is unlikely to prove effective. First, these
files aren’t actually GIFs. The simplest approach is to block anything using a
GIF extension, but the bad guys will simply switch to a different
innocuous-sounding extension. ... nother Google point: “JBIG2 doesn't have
scripting capabilities, but when combined with a vulnerability, it does have
the ability to emulate circuits of arbitrary logic gates operating on
arbitrary memory.
FAQ: What's happening with 5G and airport safety?
The Federal Communications Commission (FCC) concluded in 2020 that studies
warning of this danger did "not demonstrate that harmful interference would
likely result under reasonable scenarios" or even "reasonably 'foreseeable'
scenarios." Tom Wheeler, a visiting Brookings Institution fellow and former
FCC head, said in a paper that he doesn't think there's a real technical
problem. The long-term answer to this problem is to "improve the resilience of
future radar altimeter designs to RF interference." In the meantime, Wheeler
pointed out, "The FCC created a guard band between the 5G spectrum and the
avionics spectrum in which 5G was forbidden. Boeing, in a filing with the FCC,
had proposed just such a solution. The Boeing proposal was to prohibit 5G
'within the 4.1-4.2 GHz portion of the band.' The FCC agreed and then doubled
the size of Boeing's proposed guard band to a 220 MHz interference buffer
between the upper 5G usage at 3.98 GHz, and avionics usage at 4.2 GHz." That's
all well and good, but the FAA and major US and international airlines aren't
buying it.
Data Mesh Architecture Patterns
An Enterprise Data Mesh is composed of many components (lots more detail
available
here,
here, and here). Data Products, the primary building block within a Data Mesh,
contain operational, analytic, and/or engagement data which is synchronized
across the organiation using an Enterprise’s Data Mesh. APIs are used to
access data within a Data Product. To support federated governance, each Data
Product contains an audit log that records data changes and a catalog of data
it manages. An Enterprise’s Data Mesh has many Data Products. Data Products
subscribe to each other’s data such that when one Data Product changes its
data, this change is communicated to other Data Products using Change Data
Capture and an Event Streaming Backbone. Lastly, an Enterprise Data Catalog —
a synchronized aggregation of all Data Product catalogs and data changes– is
used to make it easy for any user or developer to find, consume, and govern
any data across the enterprise, while also providing the foundation for
understanding data lineage across the enterprise.
Quote for the day:
"Leadership is the key to 99 percent
of all successful efforts." -- Erskine Bowles
No comments:
Post a Comment