Daily Tech Digest - April 21, 2022

7 ways to avoid a cloud misconfiguration attack

We tend to focus a lot on avoiding misconfiguration for individual cloud resources such as object storage services (e.g., Amazon S3, Azure Blob) and virtual networks (e.g., AWS VPC, Azure VNet), and it’s absolutely critical to do so. But it’s also important to recognize that cloud security hinges on identity. In the cloud, many services connect to each other via API calls, requiring IAM services for security rather than IP-based network rules, firewalls, etc. For instance, a connection from an AWS Lambda function to an Amazon S3 bucket is accomplished using a policy attached to a role that the Lambda function takes on—its service identity. IAM and similar services are complex and feature rich, and it’s easy to be overly permissive just to get things to work, which means that overly permissive (and often dangerous) IAM configurations are the norm. Cloud IAM is the new network, but because cloud IAM services are created and managed with configuration, cloud security is still all about configuration—and avoiding misconfiguration.

A.I. Is Mastering Language. Should We Trust What It Says?

So far, the experiments with large language models have been mostly that: experiments probing the model for signs of true intelligence, exploring its creative uses, exposing its biases. But the ultimate commercial potential is enormous. If the existing trajectory continues, software like GPT-3 could revolutionize how we search for information in the next few years. Today, if you have a complicated question about something — how to set up your home theater system, say, or what the options are for creating a 529 education fund for your children — you most likely type a few keywords into Google and then scan through a list of links or suggested videos on YouTube, skimming through everything to get to the exact information you seek. (Needless to say, you wouldn’t even think of asking Siri or Alexa to walk you through something this complex.) But if the GPT-3 true believers are correct, in the near future you’ll just ask an L.L.M. the question and get the answer fed back to you, cogently and accurately. Customer service could be utterly transformed: Any company with a product that currently requires a human tech-support team might be able to train an L.L.M. to replace them.

NSO Group faces court action after Pegasus spyware used against targets in UK

NSO argued in a response to the legal letters that UK courts have no jurisdiction over NSO, which is based in Israel, and that legal action is barred by “state immunity”. The company also argued that there was no proper basis for showing that NSO acted as a “data controller or a data processor” under UK data protection law. There is no basis to claim that NSO joined in a “common design” with Saudi Arabia or the UAE that would make it “jointly liable” with the two countries, it said. NSO said it provides surveillance software for the “exclusive use” of state governments and their intelligence services. It claimed to pride itself on being the only company in this field “operating under an ethical governance framework that is robust and transparent”. The company said it had policies in place to ensure its “products would not be used to violate human rights”. It claimed that the legal letters repeated “misinformation” from reports and statements by non-governmental organisations, including Citizen Lab, Amnesty International and Forbidden Stories.

IP addressing could support effective network security, but would it be worth it?

VPNs actually provide pretty good protection against outside intrusion, but they have one problem—the small sites. MPLS VPNs are expensive and not always available in remote locations. Those sites often have to use the internet, and that can mean exposing applications, which means increasing the risk of hacking. SD-WAN, by adding any site with internet access to the corporate VPN, reduces that risk. Or rather it reduces that particular risk. But hacking in from the outside isn’t the only risk. These days, most security problems come from malware planted on a computer inside the company. There, from a place that’s already on whatever VPN the company might use, the malware is free to work its evil will. One thing that can help is private IP addresses. We use private IP addresses literally every moment of every day, because virtually all home networking and a lot of branch-office networking are based on them. There are a series of IPv4 and IPv6 addresses set aside for use within private subnetworks, like your home. Within the private subnet, these addresses work like any IP address, but they can’t be routed on the internet.

CIOs increasingly tap contract IT as talent gap filler

CIOs also typically find they can more easily get workers with high-demand skills on a temporary basis, Mok says. Markow agrees, adding: “You can really bring in new skill sets and capabilities more quickly in some cases.” But CIOs must be careful not to misclassify workers as contract when they should be staff, a legal distinction that could run the company afoul of labor laws, Mok says. In addition to potentially misclassifying these workers, Mok says CIOs who use contract and freelance workers too heavily or for extremely long stretches are often also operating on a more reactionary versus strategic basis, which can translate to missed opportunities, higher costs, and poor morale. “Using contract workers can be more cost effective when you have ad-hoc needs that need to be addressed,” Markow adds. “But that said, it can be more costly if those projects run far longer than anticipated or roll into other needs or if there are unintended requirements that come about and those workers need to stay on.”

Cybersecurity litigation risks: 4 top concerns for CISOs

The risk of litigation is not limited to corporations. CISOs themselves face being subject to legal action for breach of duty where insufficient steps were taken to prevent a breach, or the aftermath of the breach was handled badly, says Simon Fawell, partner at Signature Litigation LLP. Jinivizian agrees: “The role of the CISO has never been more critical for mid/large enterprises, and potentially more in the crosshairs and held accountable for security incidents and data breaches, as illustrated by the ongoing class action against SolarWinds’ CISO and other executives following the devastating supply chain attack in 2020,” he states. This is also evidenced by the charges against Uber’s CSO for allegedly trying to cover up a ransomware payment relating to the 2016 attack that compromised data of millions of users and drivers, Armstrong adds. If a CISO acts as a company director, then they could face shareholder actions for breach of duty following data and privacy breaches based on damage to company value, says Fawell. “Shareholder actions against directors have been on the rise in the UK and, where a data breach has led to a drop in value for shareholders, claims against directors are increasingly being considered.

The Cybersecurity Threats Facing Smart Buildings

IoT devices are common appliances that you might even find around your home but that are connected to the internet. Examples of IoT devices include doorbell cameras, smart meters, fitness trackers, smart speakers, and connected cars. An unprotected device is like leaving the backdoor open or a key under the mat. There were even security doubts raised about whether Joe Biden could bring his Peloton bike into the White House when he became president. Ensuring that every single device connected in a smart building has adequate security is a must if companies want to avoid data breaches. While as much autonomy as possible is better for smart buildings, there ultimately must be some human input. Often, the people using the systems are the ones who can leave them the most vulnerable. Everyone makes mistakes, but when it comes to cybersecurity, one mistake is all it takes for a network to be breached and data to be mined. Human error in this instance might be accidentally downloading or clicking a link to malware, or using an old password and not changing it.

How IT departments enable analytics operations

Modern IT organizations need a mix of infrastructure and data skills because both enable an insight-driven enterprise. Infrastructure skills are necessary to achieve an architecture that can support data analytics requirements, including scalability, data governance and data security. Today, the building, operating and innovating of the value proposition using AI is getting simpler with the aid of advanced AI cloud platforms. "This means we will need business, product and technology teams who bring skills with deep experience in leveraging data and to offer comprehensive products and capabilities that are aligned to the business context," said Rizwan Akhtar, executive vice president and CTO of business technology at real estate services company Realogy Holdings. Fundamentally, IT needs to have stronger math skills, including linear algebra, statistics, calculus and maybe inferential geometry -- skills which data scientists tend to have. However, given the mainstream adoption of AI and machine learning (ML), there are now tools that make it easier for non-data scientists to do more.

EF Core 7 Finally Divorces Old .NET Framework

In fact, it was only last summer that we reported the dev team was still playing catch-up to the old version of EF (which stopped at version 6) in the article "EF Core 6 Dev Team Plays Catch-Up with EF6." However, while it plays catch-up, the team also introduces new goodies not to be found in the .NET Framework version. Microsoft guidance says: "EF Core has always supported many scenarios not covered by the legacy EF6 stack, as well as being generally much higher performing. However, EF6 has likewise supported scenarios not covered by EF Core. EF7 will add support for many of these scenarios, allowing more applications to port from legacy EF6 to EF7. At the same time, we are planning a comprehensive porting guide for applications moving from legacy EF6 to EF Core." And in the first preview release of EF Core 7.0 that was announced last week, an important milestone was reached. "EF7 will not run on .NET Framework," said Microsoft senior program manager Jeremy Likness in a Feb. 17 blog post.

Dynamic Value Stream Mapping to Help Increase Developer Productivity

In other industries such as manufacturing, supply chain, or distribution we can find a wide adoption of process analysis and lean practices for efficiency gain. Let’s consider Value Stream Mapping, the key practice facilitating process analysis and further improvement. A Value Stream Map depicts every step in the process and categorizes each step in terms of the value it adds and what value is wasted. Despite the fact that the software industry has been adopting lean principles [Lean Software Development Principles (Poppendieck and Poppendieck, 2003) and The Principles of Product Development Flow (Reinertsen, 2009)] the technique of value stream mapping has not gained a lot of traction in the software industry. So what prevents software engineering organizations from adopting value stream mapping as a foundation for software delivery capability optimization? Even though the practice has existed for a long time and is well known among agile and lean coaches, knowledge and adoption among enterprises are falling behind.

Quote for the day:

"Never doubt that a small group of thoughtful, committed citizens can change the world. Indeed, it is the only thing that ever has." -- Margaret Mead

No comments:

Post a Comment