Daily Tech Digest - February 28, 2022

Follow your S curve

By the time Rogers’s seminal Diffusion of Innovations was published in 1962, the rural sociologist was convinced that the S curve of innovation diffusion depicted “a kind of universal process of social change.” Indeed, S curves have been used in many arenas since then, and Rogers’s book is among the most cited in the social sciences, according to Google Scholar. Johnson’s S Curve of Learning follows this well-established path. There’s the slow advancement toward a “launch point,” during which you canvas the (hopefully) myriad opportunities for career growth available to you and pick a promising one. Then there’s the fast growth once you hit the “sweet spot,” as you build momentum, forging and inhabiting the new you. And, finally, there is “mastery,” the stage in which you might cruise for a while, reaping the rewards of your efforts, before you start looking for something new, starting the cycle all over again. Johnson lays out six different roles that you must play as you travel along her learning curve. In the launch phase, where I spent what felt like an eternity, you first act as an Explorer, who searches for and picks a destination.

Automation: 5 issues for IT teams to watch in 2022

IT automation rarely involves IT alone. Virtually any initiative beyond the experimentation or proof-of-concept phase will involve at least two – and likely several – areas of the business. The more ambitious the goals, the truer this becomes. Good luck to the IT leaders that tackle “improve customer satisfaction ratings by X” or “reduce call wait times by Y” without involving marketing, customer service/customer experience, and other teams, for example. In fact, automation initiatives are best served by aligning various stakeholders from the very start – before specific goals (and metrics for evaluating progress toward those goals) are set. “It’s really important to identify the key benefits you wish to achieve and get all stakeholders on the same page,” says Mike Mason, global head of technology at Thoughtworks. This entails more than just rubber-stamping your way to a consensus that automation will be beneficial to the business. Stakeholders need to align on why they want to automate certain processes or workflows, what the impacts (including potential downsides) will be, and what success actually looks like. Presuming alignment on any of these issues can put the whole project at risk.

Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks

Daxin is a backdoor that allows the attacker to perform various operations on the infected computer such as reading and writing arbitrary files. The attacker can also start arbitrary processes and interact with them. While the set of operations recognized by Daxin is quite narrow, its real value to attackers lies in its stealth and communications capabilities. Daxin is capable of communicating by hijacking legitimate TCP/IP connections. In order to do so, it monitors all incoming TCP traffic for certain patterns. Whenever any of these patterns are detected, Daxin disconnects the legitimate recipient and takes over the connection. It then performs a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange. A successful key exchange opens an encrypted communication channel for receiving commands and sending responses. Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules.

Leveraging mobile networks to threaten national security

Once threat actors have access to mobile telecoms environments, the threat landscape is such that several orders of magnitude of leverage are possible in the execution of cyberattacks. An ability to variously infiltrate, manipulate and emulate the operations of communications service providers and trusted brands – abusing the trust of countless people using their services every day – derives of threat actors’ capability to weaponize ‘trust’ built into the design itself of protocols, systems, and processes exchanging traffic between service providers globally. The primary point of leverage derives of the sustained capacity of threat actors over time to acquire data of targeting value including personally identifiable information for public and private citizens alike. While such information can be gained through cyberattacks directed to that end on the data-rich network environments of mobile operators themselves, the incidence of data breaches of major data holders across industries today is such that it is increasingly possible to simply purchase massive amounts of such data from other threat actors

A Security Technique To Fool Would-Be Cyber Attackers 

Researchers demonstrate a method that safeguards a computer program’s secret information while enabling faster computation. Multiple programs running on the same computer may not be able to directly access each other’s hidden information, but because they share the same memory hardware, their secrets could be stolen by a malicious program through a “memory timing side-channel attack.” This malicious program notices delays when it tries to access a computer’s memory, because the hardware is shared among all programs using the machine. It can then interpret those delays to obtain another program’s secrets, like a password or cryptographic key. One way to prevent these types of attacks is to allow only one program to use the memory controller at a time, but this dramatically slows down computation. Instead, a team of MIT researchers has devised a new approach that allows memory sharing to continue while providing strong security against this type of side-channel attack. Their method is able to speed up programs by 12 percent when compared to state-of-the-art security schemes.

Is API Security the New Cloud Security?

While organizations previously used APIs more sparingly, predominantly for mobile apps or some B2B traffic, “now pretty much everything is powered by an API,” Klimek said. “So of course, all of these new APIs introduce a lot of security risks, and that’s why a lot of CISOs are now paying attention.” Imperva, which Gartner named a “leader” in its web application and API protection (WAAP) Magic Quadrant, lumps API security risks into two categories, according to Klimek. The first one, technical vulnerabilities, includes a bunch of risks that can also exist in standard web applications such as the OWASP Top 10 application security risks and CVE vulnerabilities. The recent Log4j vulnerability falls into this bucket — and demonstrates how far-reaching these types of security flaws can be. Most Imperva customers tackle these API threats first, “because they tend to be some of the most acute and they require just adopting their existing application security strategies,” such as code scanning during the development process and deploying web application firewalls or runtime application self-protection technology, Klimek explained.

Inside the blockchain developers’ mind: Building a free-to-use social DApp

While we still have a pretty good user experience, telling people they have to spend money before they can use an app is a barrier to entry and winds up feeling a whole lot like a fee. I would know, this is exactly what happened on our previous blockchain, Steem. To solve that problem, we added a feature called “delegation” which would allow people with tokens (e.g. developers) to delegate their mana (called Steem Power) to their users. This way, end-users could use Steem-based applications even if they didn’t have any of the native token STEEM. But, that design was very tailored to Steem, which did not have smart contracts and required users to first buy accounts. The biggest problem with delegations is that there was no way to control what a user did with that delegation. Developers want people to be able to use their DApps for free so that they can maximize growth and generate revenue in some other way like a subscription or through in-game item sales. They don’t want people taking their delegation to trade in decentralized finance (DeFi) or using it to play some other developer’s great game like Splinterlands.

Data governance at the speed of business

Once the data governance organization has been built and its initial policies defined, you can begin to build the muscles that will make data governance a source of nimbleness that will help you anticipate issues, seize opportunities, and pivot quickly as the business environment changes and new sources of data become available. Your data governance capability is responsible for identifying, classifying, and integrating these new and changing data sources, which may come in through milestone events such as mergers or via the deployment of new technologies within your organization. It does so by defining and applying a repeatable set of policies, processes, and supporting tools, the application of which you can think of as a gated process, a sequence of checkpoints new data must pass through to ensure its quality. The first step of the process is to determine what needs to be done to introduce the new data harmoniously. Take, for example, one of our B2B software clients that acquired a complementary company and sought to consolidate the firm’s customer data. 

Irish data watchdog calls for ‘objective metrics’ for big tech regulation

Dixon said that “in some respects at least”, the DPC needs to do better and that it would be beneficial for regulators to have a “shared understanding” of what measures they are tracking. “In the absence of an agreed set of measures to determine achievements or deficiencies, the standing of the GDPR’s enforcement regime in overall terms is at risk of damage,” she said. Dixon said that this was particularly the case “when certain types of allegations” levelled against the Irish DPC “serve only to obscure the true nature and extent of the challenges” presented by the EU regulatory framework – which requires member states to legislate for the enforcement of data protection across the EU. ... That has created a vacuum and “a narrative has emerged in which the number of cases, the quantity and size of the administrative fines levied, are treated as the sole measure of success, informed by the effectiveness of financial penalties” at driving changes in behaviour.

Digital transformation: 3 roadblocks and how to overcome them

Many sectors, such as healthcare and financial services, operate within a complex web of constantly changing regulations that can be difficult to navigate. These regulations, while robust, are critical for sensitive data such as patient information in healthcare, proper execution of protocol in law enforcement, and other essential data that must be managed and used responsibly. How customer and internal data is collected, stored, managed, and used must be prioritized, especially when an enterprise transitions from legacy systems. Establishing a digital system that supports compliance with regulations is a challenge, but once the system is established, every interaction within the organization becomes data that can be monitored if you have the tools to interpret it. Knowing what is going on in every corner of an organization is central to remaining compliant, and setting up intelligent tools that can detect risk across the enterprise will ensure that your organization’s digital transformation is rooted in compliance-first strategies.

Quote for the day:

"Great Groups need to know that the person at the top will fight like a tiger for them. "-- Warren G. Bennis

No comments:

Post a Comment